Windows Security and Directory Services for UNIX using Centrify DirectControl

Transcription

1 SOLUTION GUIDE CENTRIFY CORP. SEPTEMBER 2005 Windows Security and Directory Services for UNIX using Centrify DirectControl With Centrify, you can now fully leverage your investment in Active Directory to significantly strengthen security, reduce infrastructure costs, streamline IT operations, and better comply with regulatory requirements. ABSTRACT Most IT environments include a significant number of Windows desktops and servers and typically use Active Directory to manage their Windows infrastructure. An ideal solution would be to leverage Active Directory for identity, access and policy management beyond Windows and include UNIX, Linux and Mac the next largest base of systems in most large enterprises. This solution guide is an end-to-end implementation guide for customers looking to build an Active Directory solution for UNIX, Linux and Macintosh platforms using Centrify s DirectControl product. The guide provides a detailed introduction to the DirectControl components as well as prescriptive guidance on designing, developing, testing, deploying and operating the solution using DirectControl. This guide also includes an evolving section with information on how to extend DirectControl to other scenarios allowing you to further leverage your investment in Active Directory.

2 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Centrify Corporation, Microsoft Corporation. All rights reserved. Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. [DC ] CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE II

3 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Contents Introduction... 1 Introducing the Final End State... 1 Real World Example... 1 Introducing the Centrify DirectControl Solution... 1 Intended Audience... 2 Knowledge Prerequisites... 2 Software Prerequisites... 3 Overview of Centrify DirectControl Technology... 3 Overview of Software Components for Windows... 4 Overview of Software Components for UNIX... 4 Storing UNIX User Attributes in Active Directory... 9 Designing the Centrify DirectControl Solution Conceptual Design of Centrify DirectControl Solution Logical Design of Centrify DirectControl Solution Physical Design of Centrify DirectControl Solution Developing the Centrify DirectControl Solution Introduction and Goals Major Tasks and Deliverables Preparing Your Environment Installing and Configuring Active Directory Domain Controllers Configuring the DNS Server Creating Test Users and Groups Verifying Time Synchronization Developing the Components of the Solution Choosing DirectControl Zones or Active Directory Schema Extensions Installing Centrify DirectControl on Windows Configuring Active Directory with the First DirectControl Zone Enabling Active Directory Groups and Users for UNIX Installing the Centrify DirectControl Agent on UNIX or Linux Joining the Active Directory Domain Restarting Running Services Performing Quick Validation Tests Confirming Configuration of Users and Groups Confirming UNIX Computer Membership in Active Directory CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE III

4 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Logging On to a UNIX Computer with an Active Directory User Account Major Milestone: Solution Development Complete Testing and Stabilizing the Centrify DirectControl Solution Introduction and Goals Major Tasks and Deliverables Testing the DirectControl Solution Testing Joining a UNIX Computer to Active Directory Testing Active Directory Authentication Testing Workstation Authorization Policies Testing Account Lockout Policies Testing Password Management Policies Testing Offline Authentication Testing Additional Administrative Tasks Conducting a Pilot Major Milestone: Testing and Stabilization Complete Deploying the Centrify DirectControl Solution Introduction and Goals Major Tasks and Deliverables Completing Deployment Preparations Importing Existing UNIX Accounts into Active Directory Using Zones to Manage Role-based Access Control Mapping Using Group Policy with DirectControl to Manage GPOs Applying Security Controls Choosing a Phased Deployment Option Preparing the IT Support Staff and Users Deploying the Solution Deploying the Infrastructure Joining UNIX Computers to Active Directory Stabilizing the Deployment Major Milestone: Deployment Complete Operating the Centrify DirectControl Solution Introduction and Goals Intended Audience Knowledge Prerequisites Major Tasks and Deliverables CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE IV

5 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Managing System Administration Administering Directory Services Administering DirectControl Zones Administering Security Delegation of Zone Administration Security Policy Administration Simplifying Service Desk Operations Assessing Capacity Reporting and Auditing Major Milestone: Operations Readiness Complete Evolving the Centrify DirectControl Solution Introduction and Goals Intended Audience Knowledge Prerequisites Determining What the Next Steps are for Your Security and Directory Services Solution Expanding Single Sign-On Capabilities to Applications Using Kerberized Applications Using PAM-aware Applications Using DirectControl for Web-based Single Sign-On Supporting Legacy NIS Applications Enabling Configuration and Access Control with Active Directory and Group Policy 74 Applying Domain-wide Policy through Active Directory Applying Policy for UNIX Users and Computers with Group Policy Summary CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE V

6 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Windows Security and Directory Services for UNIX using Centrify DirectControl Introduction This solution guide is designed to be used by the project team within an end user organization tasked with extending Microsoft Active Directory identity, access control and policy management services to UNIX, Linux and Apple Macintosh systems. Introducing the Final End State The goal of the guide is to assist the user in building an End State where Active Directory is used to authenticate UNIX clients via Kerberos and authorization and identify information is accessible via LDAP. This solution makes use of Active Directory to store both authentication data and authorization data. The centralization of authentication and authorization data storage allows users to log in securely to both UNIX and Windows hosts with a single user name and password. Users may then access applications configured for Kerberized single signon without providing a user name or password. Additionally, the centralization of authentication and authorization data storage allows for consolidation of administration functions, eliminating all need for separate administration of authentication and authorization data on the UNIX side. Systems previously used for authentication and authorization data storage in the UNIX environment can be retired following the centralization of data storage to Active Directory. This solution is most appropriate for an organization with an existing UNIX infrastructure wanting to provide users with single sign-on to both Windows and UNIX hosts, as well as any Kerberized application, and centralize administration of user data in Active Directory. This solution is a good choice both for organizations that have already implemented Kerberos authentication and for those just starting down the Kerberos path. Real World Example An organization uses NIS to store authentication and authorization data for UNIX users. They are looking for ways to centralize administration of user data and retire the existing user data storage systems. They are also interested in providing users with a single user name and password to access both the UNIX and Windows sides of the organization. The added security of Kerberized authentication and the potential for single sign-on to applications using Kerberos credentials also interests them. Introducing the Centrify DirectControl Solution The Centrify DirectControl suite uses the Microsoft Windows Server 2003 Active Directory service to provide secure, centralized management of identities, access control, and policy for computers running UNIX, Linux, or Macintosh operating systems. Deploying the Centrify DirectControl solution enables you to consolidate all computer, user, and group accounts in Active Directory and use Active Directory for all authentication, authorization, and directory services. DirectControl also includes features that extend identity management to include controlling access to applications running on UNIX, Linux, or Macintosh platforms. These include Web applications and application servers such as Apache, Tomcat, JBoss, IBM s WebSphere and BEA s WebLogic. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 1

7 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 2 DirectControl provides a complete, integrated commercial solution that enables a rapid implementation of the End State letting you use Active Directory to authenticate UNIX clients with Kerberos and to access UNIX authorization and identify information with Lightweight Directory Access Protocol (LDAP). This guide describes how to prepare, develop, deploy, operate, and evolve the DirectControl technical solution to reach this End State goal in an environment that includes Windows and UNIX or Linux computers. This section introduces you to the DirectControl solution and does not cover all aspects of configuring or using this product. Although DirectControl supports multiple UNIX and Linux platforms and Apple Mac OS X, the information and steps in this guide are specific to Red Hat Linux version 9. For more information about Centrify DirectControl, including specific information and steps for other supported operating systems, review the Centrify DirectControl Administrator s Guide that is included with the product and other information available on the Centrify Web site at Intended Audience All project team leads should read each section of this guide. Specific sections of this guide should be read by all team members who share a specific role: Introduction. All members of the project team should read this section as it provides background information on the Centrify DirectControl solution components. Design. The primary audience for the Design section is solution architects and the Development team. Development. The primary audience for the Development section is the Development team, but members of the User Experience (documentation and usability) and Test teams are also responsible for specific tasks. For example, some team members set up the environment; others create rollout and site preparation checklists, and updated pilot and rollout plans; and others perform verification testing. Test. The primary audience for the Test section is the Test, Development, and Release Management teams. Deployment. The primary audience for the Deployment section is the Release Management team.. Operations. The audience for the Operations section is systems administrators, computer security personnel, and operators responsible for both UNIX or Linux computers and the Windows environment. Evolving. The audience for the Evolving section includes all teams. It is especially appropriate for developers who want to take advantage of Kerberos authentication and directory capabilities in their applications. Knowledge Prerequisites Team members should review the following documentation: Centrify DirectControl Administrator s Guide Centrify DirectControl Evaluation Guide Centrify s technical white paper: Centrify's Solution for Migrating UNIX Directories to Active Directory: Leveraging Centrify s DirectControl and Zone Technology to Simplify Migration, which is available from Centrify Corporation. See the next subsection for information about how to obtain these documents. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 2

8 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 3 Software Prerequisites To deploy the Centrify DirectControl solution for the End State, you need access to the DirectControl software. The DirectControl software is available on a single CD-ROM. This CD-ROM includes all of the software and documentation components referred to in this document for both Windows and the various supported UNIX and Linux platforms. You can either request an evaluation copy or purchase Centrify DirectControl licenses directly from Centrify Corporation. The DirectControl evaluation license enables unlimited use of the software for any number of computers and users for a 30-day period. To contact Centrify, you can: Visit the Centrify Web site: Send to Centrify: info@centrify.com. Call Centrify: In addition to obtaining the DirectControl software, you must have Active Directory configured and deployed to effectively implement this solution. For more information about these prerequisites, see Preparing Your Environment later in this guide. For an overview of the DirectControl solution and its components, see the next section, Overview of Centrify DirectControl Technology. Overview of Centrify DirectControl Technology The Centrify DirectControl solution integrates Windows and UNIX environments in a unique way, giving Active Directory users and groups access to UNIX and Linux resources and allowing UNIX users, groups, and computers to be imported into and managed through Active Directory. When you use DirectControl to achieve the End State, you can: Specify which Active Directory users and groups can log on to a specific UNIX computer or group of computers. Control user access to UNIX computers across the entire Active Directory forest, regardless of the organizational structure you use or where users are defined in that structure. Map local UNIX accounts, such as the root user, to Active Directory accounts for centralized control over access and passwords. Identify specific local UNIX accounts to be authenticated locally rather than through Active Directory. Migrate multiple existing UNIX account information stores into Active Directory, as needed. Enable authenticated users to connect to Web applications without being prompted to log on again with their Active Directory credentials (single sign-on). Take advantage of Microsoft s Group Policy to apply settings and controls for UNIX users and computers. To enable integration, Centrify DirectControl provides components that are installed in the Windows environment and components that are installed on each UNIX or Linux computer. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 3

9 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 4 Overview of Software Components for Windows When you run the Centrify DirectControl setup program on a Windows computer, you can choose which components to install. You can choose from both required and optional components, as follows: Required: You must install Active Directory property extensions on at least one computer that is joined to an Active Directory domain and has the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in installed. Active Directory Users and Computers is installed in Administrative Tools by default on a Windows domain controller. You can install this snap-in on other computers running Windows Server (see "To add a snap-in to a new MMC console for a local computer" in Help and Support Center for Windows Server 2003). It is also available for Windows XP by installing the Windows Server 2003 Administration Tools Pack, which you can download from the following location: c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en The property extensions update the Active Directory forest to store additional attributes for each user account that uses the native Active Directory schema. You must install the Centrify DirectControl Administrator Console on at least one computer that can access Active Directory domains. The Centrify DirectControl Administrator Console provides a central location for managing UNIX users, groups, and computers and for performing administrative tasks, such as importing accounts, running reports, and analyzing account information. Optional: Documentation, release notes, and online help for the Centrify DirectControl Administrator Console are optional. You can install one or more of them on any Windows computer. The DirectControl Network Information Service (NIS) Map Extensions component is optional. You can install it on at least one computer if you want to import and manage NIS maps, such as netgroup or auto.master, in Active Directory. The DirectControl Administrative Template for Group Policy is optional. You can install it on at least one computer on which the Group Policy Object Editor console is installed. Overview of Software Components for UNIX When you run the Centrify DirectControl installation script on a UNIX computer, a core Agent package of services that handles communications between programs on the UNIX platform and Active Directory is installed. You can also install optional components that require additional steps to activate, such as the DirectControl authentication and authorization module for Apache or the DirectControl Network Information Service (NIS). CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 4

10 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 5 The following figure depicts the components of the DirectControl software that runs on a UNIX computer. Figure 1.1. Simplified view of the Centrify DirectControl architecture The following table briefly defines each component shown in the figure. Table 1.1. Centrify DirectControl Architecture Components Component Description Centrify DirectControl daemon (adclient) The DirectControl Active Directory client daemon (program), adclient, manages all direct communications with Active Directory as well as all operations provided through the other DirectControl services. DirectControl Service Library Service libraries are included with DirectControl to handle Kerberos, LDAP, and Active Directory specific calls. These libraries are used by the various DirectControl modules. CLI Tools The DirectControl command-line interface (CLI) programs enable you to perform common administrative tasks, such as join or leave the Active Directory domain, change user passwords, or collect diagnostic information. You can use these command-line programs interactively or in scripts to automate tasks. Kerberos Cache Keytab and Configuration DirectControl automatically sets up and maintains Kerberos system files and services on the UNIX computer. Offline Cache When a user logs on to the UNIX computer, the user's credentials are cached locally so that the user can continue to log on to the computer for future sessions, even when a domain controller is not available or the network is offline. Kerberized Apps (ssh, nfs, ) Applications that use Kerberos for authentication can use DirectControl to authenticate to an Active Directory server. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 5

11 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 6 UNIX Login Apps (login, ftp, ssh ) NSS Module PAM Module Apache Apache SPNEGO Module SDK J2EE Apps (WebLogic, WebSphere, Tomcat, JBoss) J2EE JAAS Module J2EE SPNEGO Module Group Policy Service System Config Files Virtual Registry Standard UNIX applications that use NSS or PAM to locate a name service or an authentication mechanism can use Active Directory for these services through DirectControl. The DirectControl Name Server Switch (NSS) module enables standard operating system services that do not use PAM or Kerberos to look up information in Active Directory. NSS updates the /etc/nsswitch.conf file to use the DirectControl daemon to access information that is stored in Active Directory through LDAP. The DirectControl Pluggable Authentication Module (PAM) module, pam_centrifydc, works with the adclient daemon to provide a number of services, such as checking for password expiration, filtering for users and groups, and creating the local home directory and default user profile files for new users. The pam_centrifydc module is automatically placed first in the PAM stack in the /etc/pam.d/system-auth file to ensure that it takes precedence over other authentication modules. The Apache Web server can be configured to use Active Directory for backend directory and authentication services. The DirectControl Apache SPNEGO Module provides silent authentication services for Apache Web applications using Active Directory as the authentication authority. The DirectControl Software Development Kit (SDK) can be used to create custom applications and scripts that integrate with Active Directory for authentication and directory services. J2EE application platforms such as BEA s WebLogic, IBM s WebSphere, Tomcat, and JBoss (and the applications that run on these platforms) can be configured to use Active Directory for backend directory and authentication services. Java Authentication and Authorization Service (JAAS) is a standard Java package that provides interfaces to allow applications to perform silent or prompted authentication of user credentials. Centrify DirectControl includes a customized JAAS realm for J2EE applications that supports using Active Directory for authentication. The DirectControl J2EE SPNEGO Module uses Active Directory as the authentication authority to provide silent authentication services for J2EE Web applications. The DirectControl Group Policy service interfaces with the Group Policy system on the Windows server and ensures that applicable policies are correctly executed on the UNIX computer. System configuration files can be used to control Group Policy objects that run on the UNIX platform. DirectControl maintains a virtual registry that is used to storing configuration settings that get executed by the DirectControl Group Policy system. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 6

12 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 7 NIS Service (adnisd) NIS Client Apps NIS Cache The optional DirectControl Network Information Service (NIS) daemon, adnisd, can be installed on at least one computer if you want to store NIS maps in Active Directory and publish the information through DirectControl. Local and remote NIS client systems and applications can use DirectControl NIS to access directory information stored in Active Directory. NIS information is cached locally on a system that runs the DirectControl NIS daemon. This reduces network traffic and load on Active Directory domain controllers. The following subsections provide more detail about the most important components of the Centrify DirectControl architecture. Centrify DirectControl Daemon (adclient) The core component of the Centrify DirectControl Agent is the adclient daemon. The DirectControl adclient daemon handles all direct communications with Active Directory and works in conjunction with all other DirectControl Agent modules to perform the following key activities: Locates domain controllers Locates the appropriate domain controllers for the UNIX or Linux computer based on Active Directory forest and site topology. Verifies domain membership Provides Active Directory with credentials that verify that the computer is a valid member of the domain. Manages user credentials Delivers and stores user credentials so that users can be authenticated by Active Directory and can sign on even when the computer is disconnected from the network. Caches information to improve performance Caches query responses and other information to reduce network traffic and the number of connections to Active Directory. The cache contents and all communications with Active Directory are encrypted to ensure security. The daemon caches positive and negative query results for better performance. Manages Kerberos Creates and maintains the Kerberos configuration and service ticket files so that all existing Kerberized (Kerberos-enabled) applications work with Active Directory without any additional manual configuration. Synchronizes clock Synchronizes the local computer s time with the clock maintained by Active Directory to ensure the timestamp on Kerberos tickets issued by the Windows Key Distribution Center (KDC) are within a valid range. Resets computer password Resets the password for the local computer account in Active Directory at regular intervals to maintain security for the account s credentials. Provides services to other modules Provides authentication, authorization, and directory look-up services to the other DirectControl modules, for example, to the PAM or Java modules. The DirectControl adclient daemon must be running on the UNIX or Linux computer for that computer to have access to the information stored in Active Directory. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 7

13 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 8 Centrify DirectControl for PAM-Enabled Services (pam_centrifydc) The Centrify DirectControl PAM module, pam_centrifydc, provides the interface between the standard UNIX authentication libraries used by most system applications and the DirectControl adclient daemon that manages direct communications between a UNIX or Linux host and Active Directory. The pam_centrifydc module provides the following services: Kerberos-based user authentication for PAM-enabled services Services such as login, sshd, telnetd, and ftpd, that are typically configured to use PAM, can authenticate users that use Kerberos tickets and Active Directory. After the user is authenticated, the DirectControl daemon stores the Kerberos credentials locally in an encrypted cache so that the credentials are available for other applications to use. Disconnected authentication When users log on and are authenticated successfully through Active Directory, the pam_centrifydc module caches their credentials so that they can log on and be authenticated when the computer is disconnected from the network or when the Active Directory domain controller is not available. Automatic home directory creation When a new user logs on and is authenticated through Active Directory, the pam_centrifydc module automatically creates a home directory for the user if the home directory for the user does not already exist. The path to the home directory corresponds to the home directory attribute for the user stored in Active Directory. Account conflict checking When users log on, the pam_centrifydc module checks for user name and user ID (UID) conflicts between users enabled for UNIX or Linux access in Active Directory and local user accounts defined in the /etc/passwd file. If a conflict exists, a warning is displayed to the user upon logon and an event is written to the local UNIX system log. User and group filtering for fine-tuned access control You can use group policy to grant or deny users or groups access to any computer or group of computers managed by DirectControl. Your group policy settings are enforced through the pam_centrifydc module. Local override flexibility DirectControl allows you to enable one or more user accounts that are always authenticated locally by using the /etc/passwd file instead of Active Directory. Password administration DirectControl provides a command-line program, adpasswd, that lets UNIX or Linux users change their Active Directory password from the UNIX or Linux computer. The pam_centrifydc module enforces your Active Directory password policies for length, complexity, expiration, and history. Centrify DirectControl Name Server Switch (nss_centrifydc) The Centrify DirectControl NSS module, nss_centrifydc, performs user and group name lookups and file-based authorization for program and application requests through LDAP. The adclient daemon stores the responses locally in an encrypted cache to ensure faster performance, reduced network traffic, security caching, and disconnected operation. In addition, the DirectControl NSS module provides the following features: User and group filtering to selectively look up information in Active Directory Through configuration options or group policy, you can handle look up requests for specific users and groups locally rather than through Active Directory. For example, CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 8

14 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 9 you might not want to use Active Directory for special system accounts, for groups, or for a specific set of UIDs. User and group override controls for fine-tuned access control Through configuration options or group policy, you can handle override entries in the /etc/passwd file or /etc/group file to provide custom access to local accounts or groups. Program filtering to prevent account conflicts with Active Directory Through configuration options or group policy, you can specify programs that you do not want to look up account information in Active Directory. You can use this feature to ensure that local programs that create, manage, or use local user and group information do not attempt to look up conflicting information in Active Directory. Storing UNIX User Attributes in Active Directory UNIX computers use a traditional set of information fields that are associated with a user in the account information store. Regardless of whether the store is local (that is, /etc/passwd) or in a central directory (for example, NIS or LDAP), these fields must be present in order for a normal UNIX user experience to occur. Some of these information fields have a similar field in Active Directory. For example, the Active Directory Display Name field is similar to what is typically stored in the Gecos field in an /etc/passwd file that is, the full name of the user. However, a UNIX computer must look up certain fields that do not have an equivalent in the Active Directory system. Some of these fields include User ID (specifies the user's unique numeric ID), Principle Group (specifies the user's principal or primary group ID), Home Directory (specifies the full path name of the user's home directory), and Shell (specifies the initial program or shell that is executed after a user invokes the login command or su command). In order to use Active Directory as a directory store for UNIX accounts, some mechanism must be put in place to allow for the storage of these extra information attributes and to tie those attributes to each user account. Many solutions use the approach of extending the Active Directory schema to accommodate the storage of additional attributes. For example, Microsoft Services for UNIX (SFU) includes a mechanism to extend the default schema. After the default schema is extended, every user in the domain has extra fields available for storing information associated with accessing UNIX computers. These fields include NIS Domain, UID, Login Shell, Home Directory, and Primary group name. DirectControl supports two methods for storing UNIX user attributes in Active Directory using DirectControl Zones or implementing the Microsoft SFU schema extensions. DirectControl Zones As described in the sections about conceptual and logical designs for DirectControl solutions, Centrify DirectControl introduces a new mechanism for storing UNIX user attributes. DirectControl takes advantage of a standard facility within Active Directory that allows applications to store data in Active Directory under the Program Data container hierarchy. In this container, DirectControl can store information in Zones. Each Zone can include information about related computers, users, and groups that are joined to Active Directory. Because the Zone concept is extensible, users can be associated with multiple UNIX identities in numerous Zones if required. For example, you can create Zones by importing the user information from multiple legacy NIS directories in your organization. The UNIXrelated information associated with each user in each Zone can then be tied to an Active Directory user account. Even if the user has a different user name or UID in each Zone, the user can still be associated with a single Active Directory account and a single Active Directory password. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 9

15 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 10 Zones are also useful for organizations that want to establish strict role-based access controls for UNIX computers, groups, and users. For example, you can add Active Directory users or groups as members of a Zone if the users or groups have a requirement to access computers in that Zone. Other users or groups who are not members of the Zone cannot access the computers in that Zone. Microsoft Services for UNIX Schema Extensions As mentioned earlier, the Microsoft Services for UNIX (SFU) product includes a method for extending the Active Directory schema by adding storage fields for UNIX attributes. DirectControl fully supports using these Microsoft-supported schema extensions. If your organization has deployed the SFU schema extensions, DirectControl can treat them as a separate Zone. Other Zones can be used side-by-side with the SFU Zone, which gives your organization a considerable degree of flexibility for establishing a consolidated identity solution that best meets your needs. Centrify DirectControl supports the SFU schema extensions because these are the UNIX schema extensions that Microsoft officially supports. Microsoft implemented a new UNIX schema for the 2005 release of Windows Server Centrify fully supports this new schema and plans to continue to track and support any UNIX schema extensions that Microsoft supports in the future. Important Extending the Active Directory schema requires care. To reduce the chance that problems might arise during the extension process, the recommended practice is to select extension mechanisms that Microsoft supports. Before you extend the schema, see "Extending the schema" in the Windows Server 2003 Help and Support Center. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 10

16 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 11 The example in the following screenshot displays SFU schema attributes as a DirectControl Zone on the Centrify Profile tab for Jeff Hay. The Centrify Profile tab appears on the user properties page in Active Directory Users and Computers after you run the DirectControl Setup Wizard. You can also view or modify SFU settings by using the UNIX Attributes tab. Figure 1.2. SFU schema attributes appear as a Centrify Zone on the user properties page in Active Directory Users and Computers For more information about DirectControl Zones and about how to accommodate legacy UNIX identity stores, see the white paper, Centrify's Solution for Migrating UNIX Directories to Active Directory: Leveraging Centrify s DirectControl and Zone Technology to Simplify Migration on the Centrify Web site at CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 11

17 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 12 Designing the Centrify DirectControl Solution Before beginning development of the solution it is essential to understanding the underlying design of the Centrify DirectControl product and how it can be applied to extending Active Directory services to UNIX systems and applications. This next section reviews the conceptual and logical design of a solution using DirectControl as well as an example of a physical design showing how DirectControl would be deployed in a realworld scenario. Conceptual Design of Centrify DirectControl Solution Centrify s DirectControl solution combines the necessary authentication, authorization and directory services required for the End State into a single integrated solution. Rather than treating each component service as a separate concept that requires individual designs, the design for the single DirectControl service will more than cover the requirements for the End State. In concept, a UNIX or Linux machine with the DirectControl agent installed is very similar to a Windows XP client from the standpoint of services provided between the Active Directory server and the client system. By combining the authentication, authorization and directory services into a single integrated service, administrators benefit through simplicity, reduced overhead in building and maintaining the solution and the secure centralization of user identity management. Users also benefit from this approach since the username, password and policies (e.g. password complexity rules) that they are using on their Windows clients can now be applied to their UNIX and Linux clients. Figure 1.3 illustrates the conceptual design for using DirectControl to provide authentication and authorization services to a UNIX or Linux client. Figure 1.3. Overview of the conceptual designs for authentication, authorization and directory services using Centrify DirectControl CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 12

18 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 13 Centrify DirectControl introduces a new concept that needs to be understood and taken into consideration when planning this solution. This new concept is the DirectControl Zones feature. DirectControl Zones is a facility to allow groups of UNIX machines, groups and users to be treated as a distinct identity cluster for the purposes of partitioning off systems that have common identity attributes. Users can be members of more than one Zone and can have different user attributes (e.g. a different username) in each Zone. For example, all machines in the finance department could be grouped into a single Zone called finance and the members of that Zone could be restricted to finance employees and all senior managers. This gives the organization better control over access to systems based on well defined roles. Additionally DirectControl Zones can be used to restrict access to certain types of applications running on the UNIX systems. Zones also become important when dealing with multiple existing UNIX identity systems that are being migrated to Active Directory. For example, most organizations have multiple identity stores in use on their current UNIX platforms including LDAP directories, NIS/NIS+ and local account stores using /etc/passwd. Often a single user can be a member of more than one identity store and may even have a different username, UID or group memberships in each. DirectControl Zones would allow the organization to import the information from their legacy UNIX identity stores into separate Zones without forcing the organization to consolidate the multiple identities that each user might have. The result might be a structure with three Zones in Active Directory one with the pre-existing UNIX LDAP directory information, one with the imported information from an existing NIS directory and one with the imported contents from an /etc/passwd file from a single UNIX system. If a user has an account in all three systems, these can now be mapped back to a single Active Directory identity, even if the user s identity attributes were different in each of the legacy directories. This means that the user can now access all of these systems using either their Active Directory credentials or their old credentials from the previous system. Regardless of which credentials they use, the user has only one password across all systems their existing Active Directory password. More information on DirectControl Zones can be found on: Administrator Windows Domain Controller Active Directory Active Directory Account User Name: Fred Thomas Userid: fred.thomas Zone: Engineering Userid: fred UID: Shell: /bin/bash Homedir: /home/fred Zone: Finance Userid: fthomas UID: 2387 Shell: /bin/csh Homedir: /nfshome/fthomas Zone: HR Userid: fredt UID: 5381 Windows Domain Engineering Zone Finance Zone HR Zone Fred s HR App Account Userid: fredt UID: 5381 Fred s Windows Account Userid: fred.thomas Homedir: \\server1\users\fred.thomas Fred s Linux Account Userid: fred UID: Shell: /bin/bash Homedir: /home/fred Fred s Solaris Account Userid: fthomas UID: 2387 Shell: /bin/csh Homedir: /nfshome/fthomas Windows XP Laptop Linux Workstation Solaris Host HR App Server Figure 1.4. Example of using Zones to map multiple identities to a single Active Directory user account. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 13

19 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 14 If you choose to use Centrify DirectControl as part of an integrated solution for security and directory services, your conceptual design should address how you want to use Zones, how you will migrate user identities to Active Directory, and how legacy identity stores such as /etc/passwd files and NIS servers fit into your solution. To develop your conceptual design with Centrify DirectControl in mind, you should consider the following: Whether you have multiple UNIX identity stores or a single identity store for all UNIX users. Which UNIX computers users log on to locally or remotely and which UNIX computers are used as application servers that only require infrequent administrative logins. The nature of the user community and how and when different users access UNIX resources. As an example, if you have multiple identity stores, your conceptual design should define how those identity stores should map to Centrify DirectControl Zones. If you already group users in NIS domains, you can keep this structure by mapping each NIS domain to a Zone. If you have a more ad-hoc environment, you should identify the computers that form a natural administrative set. For example, you may want to use Zones to group computers based on specific criteria, such as computers managed by the same security group, located in the same area, or used by the same department. In your conceptual design, you should also determine how various computers are used. For example, you should determine which computers users log on to directly and which computers are used as application servers that only require administrative access for housekeeping purposes. You should consider how many users log on to different computers and the tasks different sets of users perform on those computers. If all of your UNIX user identities (UIDs) and group identities (GIDs) are unique for all of the computers you want to bring into the Active Directory forest, you can use a single Zone. For simplicity or migrating in phases, you can start with a single Zone and add Zones over time, but your conceptual design should take into account this migration strategy and Zone design. Logical Design of Centrify DirectControl Solution With Centrify DirectControl, many of the logical design considerations that were required for a pure Kerberos / LDAP solution are no longer applicable. This is because DirectControl automatically handles the configuration of many of the supporting services that are required to reach the End State. For example, when DirectControl gets installed, the time service and time synchronization elements that are required for proper Kerberos operation are automatically setup correctly without the need for user intervention. Likewise, the configuration of UNIX components such as PAM and NSS are also automatically configured when DirectControl is installed. Another logical design consideration highlighted in other solutions is the strategy for handling Active Directory schema extensions for storing UNIX user attributes such as a UID or home directory. DirectControl simplifies the whole schema extension issue by simply eliminating the need for any schema extensions. Instead, DirectControl automatically stores UNIX user attributes in a well defined Active Directory storage class reserved for use by applications. Again, using the DirectControl Zones feature, multiple sets of UNIX user attributes can be tied to a single Active Directory user. Management of these attributes can be accomplished by using the Active Directory Users and Computers MMC or the Centrify Administrator Console. If the organization has already deployed Microsoft-supported UNIX schema extensions, such as the UNIX extensions included with Microsoft Windows Services for UNIX, then DirectControl can be easily configured to use that storage mechanism in addition to or as an alternative to DirectControl Zones. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 14

20 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 15 Figure 1.5. An example of the internal Active Directory storage hierarchy for a DirectControl Zone Since DirectControl Zones add numerous possibilities for dealing with better role-based access control and enabling the easy migration from existing UNIX directories, the organization should evaluate and create a logical design and plan for how Zones are used. This of course only applies if DirectControl is selected as the method for reaching the End State. Some of the considerations for how to apply Zones in the logical design include: Using Zones to address multiple legacy UIDs and enable rapid migration to Active Directory For existing UNIX systems that have LDAP, NIS or /etc/passwd based directories, the user information in these directories can be directly imported into multiple DirectControl Zones. Typically the design would call for one Zone for each substantially distinct legacy directory store. Usernames in each Zone are then mapped to existing Active Directory user accounts. This allows the UNIX identity system to be immediately moved to Active Directory without forcing a change of UIDs on the legacy UNIX system. Having the option to retain legacy usernames and UIDs is a major design consideration since the alternative of manually changing UID ownerships and name-associated files on the UNIX system, for every user, could be an enormous task and an obstacle to a successful migration. Using Zones and Services for UNIX to address other UNIX services tied to Active Directory For organizations that have deployed Services for UNIX and are using the SFU NIS Server or NFS services, it is likely that they have extended the Active Directory schema using SFU. If this is the case, the logical design should include reserving a Zone for the SFU-enabled user accounts, since the UNIX attributes stored with each account will continue to be used once this new project is completed. DirectControl fully supports mapping the SFU user attributes into a DirectControl Zone. Using Zones, Group Policy and other methods for enabling true role-based access control One of the most powerful capabilities enabled with Zones is the ability to manage access to systems by using a logical design of Zones mapped to roles and organizations. The organization of Zones could be designed around geographic divisions (e.g. a Zone for Europe, a Zone for Asia), around functional groups (e.g. a Zone for Engineering, a Zone for HR) or any other user defined taxonomy. Since users only have access to systems in a Zone if they are explicitly added as members of that Zone, organizations have better control over access to system resources and data. Additionally, administration of each Zone can be delegated to non-administrator individuals on a Zone by Zone basis resulting in better control over the administration of all systems. Finally by adding controls using group memberships and Centrify s Group Policy for UNIX capabilities, access control is further refined. For example, it is possible to lock the configuration of privileged command execution by controlling the sudoers file via Group Policy. All of these access control capabilities are at the CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 15