Windows Security and Directory Services for UNIX using Centrify DirectControl

Transcription

1 SOLUTION GUIDE CENTRIFY CORP. SEPTEMBER 2005 Windows Security and Directory Services for UNIX using Centrify DirectControl With Centrify, you can now fully leverage your investment in Active Directory to significantly strengthen security, reduce infrastructure costs, streamline IT operations, and better comply with regulatory requirements. ABSTRACT Most IT environments include a significant number of Windows desktops and servers and typically use Active Directory to manage their Windows infrastructure. An ideal solution would be to leverage Active Directory for identity, access and policy management beyond Windows and include UNIX, Linux and Mac the next largest base of systems in most large enterprises. This solution guide is an end-to-end implementation guide for customers looking to build an Active Directory solution for UNIX, Linux and Macintosh platforms using Centrify s DirectControl product. The guide provides a detailed introduction to the DirectControl components as well as prescriptive guidance on designing, developing, testing, deploying and operating the solution using DirectControl. This guide also includes an evolving section with information on how to extend DirectControl to other scenarios allowing you to further leverage your investment in Active Directory.

2 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Centrify Corporation, Microsoft Corporation. All rights reserved. Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. [DC ] CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE II

3 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Contents Introduction... 1 Introducing the Final End State... 1 Real World Example... 1 Introducing the Centrify DirectControl Solution... 1 Intended Audience... 2 Knowledge Prerequisites... 2 Software Prerequisites... 3 Overview of Centrify DirectControl Technology... 3 Overview of Software Components for Windows... 4 Overview of Software Components for UNIX... 4 Storing UNIX User Attributes in Active Directory... 9 Designing the Centrify DirectControl Solution Conceptual Design of Centrify DirectControl Solution Logical Design of Centrify DirectControl Solution Physical Design of Centrify DirectControl Solution Developing the Centrify DirectControl Solution Introduction and Goals Major Tasks and Deliverables Preparing Your Environment Installing and Configuring Active Directory Domain Controllers Configuring the DNS Server Creating Test Users and Groups Verifying Time Synchronization Developing the Components of the Solution Choosing DirectControl Zones or Active Directory Schema Extensions Installing Centrify DirectControl on Windows Configuring Active Directory with the First DirectControl Zone Enabling Active Directory Groups and Users for UNIX Installing the Centrify DirectControl Agent on UNIX or Linux Joining the Active Directory Domain Restarting Running Services Performing Quick Validation Tests Confirming Configuration of Users and Groups Confirming UNIX Computer Membership in Active Directory CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE III

4 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Logging On to a UNIX Computer with an Active Directory User Account Major Milestone: Solution Development Complete Testing and Stabilizing the Centrify DirectControl Solution Introduction and Goals Major Tasks and Deliverables Testing the DirectControl Solution Testing Joining a UNIX Computer to Active Directory Testing Active Directory Authentication Testing Workstation Authorization Policies Testing Account Lockout Policies Testing Password Management Policies Testing Offline Authentication Testing Additional Administrative Tasks Conducting a Pilot Major Milestone: Testing and Stabilization Complete Deploying the Centrify DirectControl Solution Introduction and Goals Major Tasks and Deliverables Completing Deployment Preparations Importing Existing UNIX Accounts into Active Directory Using Zones to Manage Role-based Access Control Mapping Using Group Policy with DirectControl to Manage GPOs Applying Security Controls Choosing a Phased Deployment Option Preparing the IT Support Staff and Users Deploying the Solution Deploying the Infrastructure Joining UNIX Computers to Active Directory Stabilizing the Deployment Major Milestone: Deployment Complete Operating the Centrify DirectControl Solution Introduction and Goals Intended Audience Knowledge Prerequisites Major Tasks and Deliverables CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE IV

5 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Managing System Administration Administering Directory Services Administering DirectControl Zones Administering Security Delegation of Zone Administration Security Policy Administration Simplifying Service Desk Operations Assessing Capacity Reporting and Auditing Major Milestone: Operations Readiness Complete Evolving the Centrify DirectControl Solution Introduction and Goals Intended Audience Knowledge Prerequisites Determining What the Next Steps are for Your Security and Directory Services Solution Expanding Single Sign-On Capabilities to Applications Using Kerberized Applications Using PAM-aware Applications Using DirectControl for Web-based Single Sign-On Supporting Legacy NIS Applications Enabling Configuration and Access Control with Active Directory and Group Policy 74 Applying Domain-wide Policy through Active Directory Applying Policy for UNIX Users and Computers with Group Policy Summary CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE V

6 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Windows Security and Directory Services for UNIX using Centrify DirectControl Introduction This solution guide is designed to be used by the project team within an end user organization tasked with extending Microsoft Active Directory identity, access control and policy management services to UNIX, Linux and Apple Macintosh systems. Introducing the Final End State The goal of the guide is to assist the user in building an End State where Active Directory is used to authenticate UNIX clients via Kerberos and authorization and identify information is accessible via LDAP. This solution makes use of Active Directory to store both authentication data and authorization data. The centralization of authentication and authorization data storage allows users to log in securely to both UNIX and Windows hosts with a single user name and password. Users may then access applications configured for Kerberized single signon without providing a user name or password. Additionally, the centralization of authentication and authorization data storage allows for consolidation of administration functions, eliminating all need for separate administration of authentication and authorization data on the UNIX side. Systems previously used for authentication and authorization data storage in the UNIX environment can be retired following the centralization of data storage to Active Directory. This solution is most appropriate for an organization with an existing UNIX infrastructure wanting to provide users with single sign-on to both Windows and UNIX hosts, as well as any Kerberized application, and centralize administration of user data in Active Directory. This solution is a good choice both for organizations that have already implemented Kerberos authentication and for those just starting down the Kerberos path. Real World Example An organization uses NIS to store authentication and authorization data for UNIX users. They are looking for ways to centralize administration of user data and retire the existing user data storage systems. They are also interested in providing users with a single user name and password to access both the UNIX and Windows sides of the organization. The added security of Kerberized authentication and the potential for single sign-on to applications using Kerberos credentials also interests them. Introducing the Centrify DirectControl Solution The Centrify DirectControl suite uses the Microsoft Windows Server 2003 Active Directory service to provide secure, centralized management of identities, access control, and policy for computers running UNIX, Linux, or Macintosh operating systems. Deploying the Centrify DirectControl solution enables you to consolidate all computer, user, and group accounts in Active Directory and use Active Directory for all authentication, authorization, and directory services. DirectControl also includes features that extend identity management to include controlling access to applications running on UNIX, Linux, or Macintosh platforms. These include Web applications and application servers such as Apache, Tomcat, JBoss, IBM s WebSphere and BEA s WebLogic. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 1

7 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 2 DirectControl provides a complete, integrated commercial solution that enables a rapid implementation of the End State letting you use Active Directory to authenticate UNIX clients with Kerberos and to access UNIX authorization and identify information with Lightweight Directory Access Protocol (LDAP). This guide describes how to prepare, develop, deploy, operate, and evolve the DirectControl technical solution to reach this End State goal in an environment that includes Windows and UNIX or Linux computers. This section introduces you to the DirectControl solution and does not cover all aspects of configuring or using this product. Although DirectControl supports multiple UNIX and Linux platforms and Apple Mac OS X, the information and steps in this guide are specific to Red Hat Linux version 9. For more information about Centrify DirectControl, including specific information and steps for other supported operating systems, review the Centrify DirectControl Administrator s Guide that is included with the product and other information available on the Centrify Web site at Intended Audience All project team leads should read each section of this guide. Specific sections of this guide should be read by all team members who share a specific role: Introduction. All members of the project team should read this section as it provides background information on the Centrify DirectControl solution components. Design. The primary audience for the Design section is solution architects and the Development team. Development. The primary audience for the Development section is the Development team, but members of the User Experience (documentation and usability) and Test teams are also responsible for specific tasks. For example, some team members set up the environment; others create rollout and site preparation checklists, and updated pilot and rollout plans; and others perform verification testing. Test. The primary audience for the Test section is the Test, Development, and Release Management teams. Deployment. The primary audience for the Deployment section is the Release Management team.. Operations. The audience for the Operations section is systems administrators, computer security personnel, and operators responsible for both UNIX or Linux computers and the Windows environment. Evolving. The audience for the Evolving section includes all teams. It is especially appropriate for developers who want to take advantage of Kerberos authentication and directory capabilities in their applications. Knowledge Prerequisites Team members should review the following documentation: Centrify DirectControl Administrator s Guide Centrify DirectControl Evaluation Guide Centrify s technical white paper: Centrify's Solution for Migrating UNIX Directories to Active Directory: Leveraging Centrify s DirectControl and Zone Technology to Simplify Migration, which is available from Centrify Corporation. See the next subsection for information about how to obtain these documents. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 2

8 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 3 Software Prerequisites To deploy the Centrify DirectControl solution for the End State, you need access to the DirectControl software. The DirectControl software is available on a single CD-ROM. This CD-ROM includes all of the software and documentation components referred to in this document for both Windows and the various supported UNIX and Linux platforms. You can either request an evaluation copy or purchase Centrify DirectControl licenses directly from Centrify Corporation. The DirectControl evaluation license enables unlimited use of the software for any number of computers and users for a 30-day period. To contact Centrify, you can: Visit the Centrify Web site: Send to Centrify: [email protected]. Call Centrify: In addition to obtaining the DirectControl software, you must have Active Directory configured and deployed to effectively implement this solution. For more information about these prerequisites, see Preparing Your Environment later in this guide. For an overview of the DirectControl solution and its components, see the next section, Overview of Centrify DirectControl Technology. Overview of Centrify DirectControl Technology The Centrify DirectControl solution integrates Windows and UNIX environments in a unique way, giving Active Directory users and groups access to UNIX and Linux resources and allowing UNIX users, groups, and computers to be imported into and managed through Active Directory. When you use DirectControl to achieve the End State, you can: Specify which Active Directory users and groups can log on to a specific UNIX computer or group of computers. Control user access to UNIX computers across the entire Active Directory forest, regardless of the organizational structure you use or where users are defined in that structure. Map local UNIX accounts, such as the root user, to Active Directory accounts for centralized control over access and passwords. Identify specific local UNIX accounts to be authenticated locally rather than through Active Directory. Migrate multiple existing UNIX account information stores into Active Directory, as needed. Enable authenticated users to connect to Web applications without being prompted to log on again with their Active Directory credentials (single sign-on). Take advantage of Microsoft s Group Policy to apply settings and controls for UNIX users and computers. To enable integration, Centrify DirectControl provides components that are installed in the Windows environment and components that are installed on each UNIX or Linux computer. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 3

9 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 4 Overview of Software Components for Windows When you run the Centrify DirectControl setup program on a Windows computer, you can choose which components to install. You can choose from both required and optional components, as follows: Required: You must install Active Directory property extensions on at least one computer that is joined to an Active Directory domain and has the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in installed. Active Directory Users and Computers is installed in Administrative Tools by default on a Windows domain controller. You can install this snap-in on other computers running Windows Server (see "To add a snap-in to a new MMC console for a local computer" in Help and Support Center for Windows Server 2003). It is also available for Windows XP by installing the Windows Server 2003 Administration Tools Pack, which you can download from the following location: c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en The property extensions update the Active Directory forest to store additional attributes for each user account that uses the native Active Directory schema. You must install the Centrify DirectControl Administrator Console on at least one computer that can access Active Directory domains. The Centrify DirectControl Administrator Console provides a central location for managing UNIX users, groups, and computers and for performing administrative tasks, such as importing accounts, running reports, and analyzing account information. Optional: Documentation, release notes, and online help for the Centrify DirectControl Administrator Console are optional. You can install one or more of them on any Windows computer. The DirectControl Network Information Service (NIS) Map Extensions component is optional. You can install it on at least one computer if you want to import and manage NIS maps, such as netgroup or auto.master, in Active Directory. The DirectControl Administrative Template for Group Policy is optional. You can install it on at least one computer on which the Group Policy Object Editor console is installed. Overview of Software Components for UNIX When you run the Centrify DirectControl installation script on a UNIX computer, a core Agent package of services that handles communications between programs on the UNIX platform and Active Directory is installed. You can also install optional components that require additional steps to activate, such as the DirectControl authentication and authorization module for Apache or the DirectControl Network Information Service (NIS). CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 4

10 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 5 The following figure depicts the components of the DirectControl software that runs on a UNIX computer. Figure 1.1. Simplified view of the Centrify DirectControl architecture The following table briefly defines each component shown in the figure. Table 1.1. Centrify DirectControl Architecture Components Component Description Centrify DirectControl daemon (adclient) The DirectControl Active Directory client daemon (program), adclient, manages all direct communications with Active Directory as well as all operations provided through the other DirectControl services. DirectControl Service Library Service libraries are included with DirectControl to handle Kerberos, LDAP, and Active Directory specific calls. These libraries are used by the various DirectControl modules. CLI Tools The DirectControl command-line interface (CLI) programs enable you to perform common administrative tasks, such as join or leave the Active Directory domain, change user passwords, or collect diagnostic information. You can use these command-line programs interactively or in scripts to automate tasks. Kerberos Cache Keytab and Configuration DirectControl automatically sets up and maintains Kerberos system files and services on the UNIX computer. Offline Cache When a user logs on to the UNIX computer, the user's credentials are cached locally so that the user can continue to log on to the computer for future sessions, even when a domain controller is not available or the network is offline. Kerberized Apps (ssh, nfs, ) Applications that use Kerberos for authentication can use DirectControl to authenticate to an Active Directory server. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 5

11 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 6 UNIX Login Apps (login, ftp, ssh ) NSS Module PAM Module Apache Apache SPNEGO Module SDK J2EE Apps (WebLogic, WebSphere, Tomcat, JBoss) J2EE JAAS Module J2EE SPNEGO Module Group Policy Service System Config Files Virtual Registry Standard UNIX applications that use NSS or PAM to locate a name service or an authentication mechanism can use Active Directory for these services through DirectControl. The DirectControl Name Server Switch (NSS) module enables standard operating system services that do not use PAM or Kerberos to look up information in Active Directory. NSS updates the /etc/nsswitch.conf file to use the DirectControl daemon to access information that is stored in Active Directory through LDAP. The DirectControl Pluggable Authentication Module (PAM) module, pam_centrifydc, works with the adclient daemon to provide a number of services, such as checking for password expiration, filtering for users and groups, and creating the local home directory and default user profile files for new users. The pam_centrifydc module is automatically placed first in the PAM stack in the /etc/pam.d/system-auth file to ensure that it takes precedence over other authentication modules. The Apache Web server can be configured to use Active Directory for backend directory and authentication services. The DirectControl Apache SPNEGO Module provides silent authentication services for Apache Web applications using Active Directory as the authentication authority. The DirectControl Software Development Kit (SDK) can be used to create custom applications and scripts that integrate with Active Directory for authentication and directory services. J2EE application platforms such as BEA s WebLogic, IBM s WebSphere, Tomcat, and JBoss (and the applications that run on these platforms) can be configured to use Active Directory for backend directory and authentication services. Java Authentication and Authorization Service (JAAS) is a standard Java package that provides interfaces to allow applications to perform silent or prompted authentication of user credentials. Centrify DirectControl includes a customized JAAS realm for J2EE applications that supports using Active Directory for authentication. The DirectControl J2EE SPNEGO Module uses Active Directory as the authentication authority to provide silent authentication services for J2EE Web applications. The DirectControl Group Policy service interfaces with the Group Policy system on the Windows server and ensures that applicable policies are correctly executed on the UNIX computer. System configuration files can be used to control Group Policy objects that run on the UNIX platform. DirectControl maintains a virtual registry that is used to storing configuration settings that get executed by the DirectControl Group Policy system. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 6

12 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 7 NIS Service (adnisd) NIS Client Apps NIS Cache The optional DirectControl Network Information Service (NIS) daemon, adnisd, can be installed on at least one computer if you want to store NIS maps in Active Directory and publish the information through DirectControl. Local and remote NIS client systems and applications can use DirectControl NIS to access directory information stored in Active Directory. NIS information is cached locally on a system that runs the DirectControl NIS daemon. This reduces network traffic and load on Active Directory domain controllers. The following subsections provide more detail about the most important components of the Centrify DirectControl architecture. Centrify DirectControl Daemon (adclient) The core component of the Centrify DirectControl Agent is the adclient daemon. The DirectControl adclient daemon handles all direct communications with Active Directory and works in conjunction with all other DirectControl Agent modules to perform the following key activities: Locates domain controllers Locates the appropriate domain controllers for the UNIX or Linux computer based on Active Directory forest and site topology. Verifies domain membership Provides Active Directory with credentials that verify that the computer is a valid member of the domain. Manages user credentials Delivers and stores user credentials so that users can be authenticated by Active Directory and can sign on even when the computer is disconnected from the network. Caches information to improve performance Caches query responses and other information to reduce network traffic and the number of connections to Active Directory. The cache contents and all communications with Active Directory are encrypted to ensure security. The daemon caches positive and negative query results for better performance. Manages Kerberos Creates and maintains the Kerberos configuration and service ticket files so that all existing Kerberized (Kerberos-enabled) applications work with Active Directory without any additional manual configuration. Synchronizes clock Synchronizes the local computer s time with the clock maintained by Active Directory to ensure the timestamp on Kerberos tickets issued by the Windows Key Distribution Center (KDC) are within a valid range. Resets computer password Resets the password for the local computer account in Active Directory at regular intervals to maintain security for the account s credentials. Provides services to other modules Provides authentication, authorization, and directory look-up services to the other DirectControl modules, for example, to the PAM or Java modules. The DirectControl adclient daemon must be running on the UNIX or Linux computer for that computer to have access to the information stored in Active Directory. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 7

13 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 8 Centrify DirectControl for PAM-Enabled Services (pam_centrifydc) The Centrify DirectControl PAM module, pam_centrifydc, provides the interface between the standard UNIX authentication libraries used by most system applications and the DirectControl adclient daemon that manages direct communications between a UNIX or Linux host and Active Directory. The pam_centrifydc module provides the following services: Kerberos-based user authentication for PAM-enabled services Services such as login, sshd, telnetd, and ftpd, that are typically configured to use PAM, can authenticate users that use Kerberos tickets and Active Directory. After the user is authenticated, the DirectControl daemon stores the Kerberos credentials locally in an encrypted cache so that the credentials are available for other applications to use. Disconnected authentication When users log on and are authenticated successfully through Active Directory, the pam_centrifydc module caches their credentials so that they can log on and be authenticated when the computer is disconnected from the network or when the Active Directory domain controller is not available. Automatic home directory creation When a new user logs on and is authenticated through Active Directory, the pam_centrifydc module automatically creates a home directory for the user if the home directory for the user does not already exist. The path to the home directory corresponds to the home directory attribute for the user stored in Active Directory. Account conflict checking When users log on, the pam_centrifydc module checks for user name and user ID (UID) conflicts between users enabled for UNIX or Linux access in Active Directory and local user accounts defined in the /etc/passwd file. If a conflict exists, a warning is displayed to the user upon logon and an event is written to the local UNIX system log. User and group filtering for fine-tuned access control You can use group policy to grant or deny users or groups access to any computer or group of computers managed by DirectControl. Your group policy settings are enforced through the pam_centrifydc module. Local override flexibility DirectControl allows you to enable one or more user accounts that are always authenticated locally by using the /etc/passwd file instead of Active Directory. Password administration DirectControl provides a command-line program, adpasswd, that lets UNIX or Linux users change their Active Directory password from the UNIX or Linux computer. The pam_centrifydc module enforces your Active Directory password policies for length, complexity, expiration, and history. Centrify DirectControl Name Server Switch (nss_centrifydc) The Centrify DirectControl NSS module, nss_centrifydc, performs user and group name lookups and file-based authorization for program and application requests through LDAP. The adclient daemon stores the responses locally in an encrypted cache to ensure faster performance, reduced network traffic, security caching, and disconnected operation. In addition, the DirectControl NSS module provides the following features: User and group filtering to selectively look up information in Active Directory Through configuration options or group policy, you can handle look up requests for specific users and groups locally rather than through Active Directory. For example, CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 8

14 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 9 you might not want to use Active Directory for special system accounts, for groups, or for a specific set of UIDs. User and group override controls for fine-tuned access control Through configuration options or group policy, you can handle override entries in the /etc/passwd file or /etc/group file to provide custom access to local accounts or groups. Program filtering to prevent account conflicts with Active Directory Through configuration options or group policy, you can specify programs that you do not want to look up account information in Active Directory. You can use this feature to ensure that local programs that create, manage, or use local user and group information do not attempt to look up conflicting information in Active Directory. Storing UNIX User Attributes in Active Directory UNIX computers use a traditional set of information fields that are associated with a user in the account information store. Regardless of whether the store is local (that is, /etc/passwd) or in a central directory (for example, NIS or LDAP), these fields must be present in order for a normal UNIX user experience to occur. Some of these information fields have a similar field in Active Directory. For example, the Active Directory Display Name field is similar to what is typically stored in the Gecos field in an /etc/passwd file that is, the full name of the user. However, a UNIX computer must look up certain fields that do not have an equivalent in the Active Directory system. Some of these fields include User ID (specifies the user's unique numeric ID), Principle Group (specifies the user's principal or primary group ID), Home Directory (specifies the full path name of the user's home directory), and Shell (specifies the initial program or shell that is executed after a user invokes the login command or su command). In order to use Active Directory as a directory store for UNIX accounts, some mechanism must be put in place to allow for the storage of these extra information attributes and to tie those attributes to each user account. Many solutions use the approach of extending the Active Directory schema to accommodate the storage of additional attributes. For example, Microsoft Services for UNIX (SFU) includes a mechanism to extend the default schema. After the default schema is extended, every user in the domain has extra fields available for storing information associated with accessing UNIX computers. These fields include NIS Domain, UID, Login Shell, Home Directory, and Primary group name. DirectControl supports two methods for storing UNIX user attributes in Active Directory using DirectControl Zones or implementing the Microsoft SFU schema extensions. DirectControl Zones As described in the sections about conceptual and logical designs for DirectControl solutions, Centrify DirectControl introduces a new mechanism for storing UNIX user attributes. DirectControl takes advantage of a standard facility within Active Directory that allows applications to store data in Active Directory under the Program Data container hierarchy. In this container, DirectControl can store information in Zones. Each Zone can include information about related computers, users, and groups that are joined to Active Directory. Because the Zone concept is extensible, users can be associated with multiple UNIX identities in numerous Zones if required. For example, you can create Zones by importing the user information from multiple legacy NIS directories in your organization. The UNIXrelated information associated with each user in each Zone can then be tied to an Active Directory user account. Even if the user has a different user name or UID in each Zone, the user can still be associated with a single Active Directory account and a single Active Directory password. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 9

15 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 10 Zones are also useful for organizations that want to establish strict role-based access controls for UNIX computers, groups, and users. For example, you can add Active Directory users or groups as members of a Zone if the users or groups have a requirement to access computers in that Zone. Other users or groups who are not members of the Zone cannot access the computers in that Zone. Microsoft Services for UNIX Schema Extensions As mentioned earlier, the Microsoft Services for UNIX (SFU) product includes a method for extending the Active Directory schema by adding storage fields for UNIX attributes. DirectControl fully supports using these Microsoft-supported schema extensions. If your organization has deployed the SFU schema extensions, DirectControl can treat them as a separate Zone. Other Zones can be used side-by-side with the SFU Zone, which gives your organization a considerable degree of flexibility for establishing a consolidated identity solution that best meets your needs. Centrify DirectControl supports the SFU schema extensions because these are the UNIX schema extensions that Microsoft officially supports. Microsoft implemented a new UNIX schema for the 2005 release of Windows Server Centrify fully supports this new schema and plans to continue to track and support any UNIX schema extensions that Microsoft supports in the future. Important Extending the Active Directory schema requires care. To reduce the chance that problems might arise during the extension process, the recommended practice is to select extension mechanisms that Microsoft supports. Before you extend the schema, see "Extending the schema" in the Windows Server 2003 Help and Support Center. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 10

16 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 11 The example in the following screenshot displays SFU schema attributes as a DirectControl Zone on the Centrify Profile tab for Jeff Hay. The Centrify Profile tab appears on the user properties page in Active Directory Users and Computers after you run the DirectControl Setup Wizard. You can also view or modify SFU settings by using the UNIX Attributes tab. Figure 1.2. SFU schema attributes appear as a Centrify Zone on the user properties page in Active Directory Users and Computers For more information about DirectControl Zones and about how to accommodate legacy UNIX identity stores, see the white paper, Centrify's Solution for Migrating UNIX Directories to Active Directory: Leveraging Centrify s DirectControl and Zone Technology to Simplify Migration on the Centrify Web site at CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 11

17 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 12 Designing the Centrify DirectControl Solution Before beginning development of the solution it is essential to understanding the underlying design of the Centrify DirectControl product and how it can be applied to extending Active Directory services to UNIX systems and applications. This next section reviews the conceptual and logical design of a solution using DirectControl as well as an example of a physical design showing how DirectControl would be deployed in a realworld scenario. Conceptual Design of Centrify DirectControl Solution Centrify s DirectControl solution combines the necessary authentication, authorization and directory services required for the End State into a single integrated solution. Rather than treating each component service as a separate concept that requires individual designs, the design for the single DirectControl service will more than cover the requirements for the End State. In concept, a UNIX or Linux machine with the DirectControl agent installed is very similar to a Windows XP client from the standpoint of services provided between the Active Directory server and the client system. By combining the authentication, authorization and directory services into a single integrated service, administrators benefit through simplicity, reduced overhead in building and maintaining the solution and the secure centralization of user identity management. Users also benefit from this approach since the username, password and policies (e.g. password complexity rules) that they are using on their Windows clients can now be applied to their UNIX and Linux clients. Figure 1.3 illustrates the conceptual design for using DirectControl to provide authentication and authorization services to a UNIX or Linux client. Figure 1.3. Overview of the conceptual designs for authentication, authorization and directory services using Centrify DirectControl CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 12

18 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 13 Centrify DirectControl introduces a new concept that needs to be understood and taken into consideration when planning this solution. This new concept is the DirectControl Zones feature. DirectControl Zones is a facility to allow groups of UNIX machines, groups and users to be treated as a distinct identity cluster for the purposes of partitioning off systems that have common identity attributes. Users can be members of more than one Zone and can have different user attributes (e.g. a different username) in each Zone. For example, all machines in the finance department could be grouped into a single Zone called finance and the members of that Zone could be restricted to finance employees and all senior managers. This gives the organization better control over access to systems based on well defined roles. Additionally DirectControl Zones can be used to restrict access to certain types of applications running on the UNIX systems. Zones also become important when dealing with multiple existing UNIX identity systems that are being migrated to Active Directory. For example, most organizations have multiple identity stores in use on their current UNIX platforms including LDAP directories, NIS/NIS+ and local account stores using /etc/passwd. Often a single user can be a member of more than one identity store and may even have a different username, UID or group memberships in each. DirectControl Zones would allow the organization to import the information from their legacy UNIX identity stores into separate Zones without forcing the organization to consolidate the multiple identities that each user might have. The result might be a structure with three Zones in Active Directory one with the pre-existing UNIX LDAP directory information, one with the imported information from an existing NIS directory and one with the imported contents from an /etc/passwd file from a single UNIX system. If a user has an account in all three systems, these can now be mapped back to a single Active Directory identity, even if the user s identity attributes were different in each of the legacy directories. This means that the user can now access all of these systems using either their Active Directory credentials or their old credentials from the previous system. Regardless of which credentials they use, the user has only one password across all systems their existing Active Directory password. More information on DirectControl Zones can be found on: Administrator Windows Domain Controller Active Directory Active Directory Account User Name: Fred Thomas Userid: fred.thomas Zone: Engineering Userid: fred UID: Shell: /bin/bash Homedir: /home/fred Zone: Finance Userid: fthomas UID: 2387 Shell: /bin/csh Homedir: /nfshome/fthomas Zone: HR Userid: fredt UID: 5381 Windows Domain Engineering Zone Finance Zone HR Zone Fred s HR App Account Userid: fredt UID: 5381 Fred s Windows Account Userid: fred.thomas Homedir: \\server1\users\fred.thomas Fred s Linux Account Userid: fred UID: Shell: /bin/bash Homedir: /home/fred Fred s Solaris Account Userid: fthomas UID: 2387 Shell: /bin/csh Homedir: /nfshome/fthomas Windows XP Laptop Linux Workstation Solaris Host HR App Server Figure 1.4. Example of using Zones to map multiple identities to a single Active Directory user account. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 13

19 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 14 If you choose to use Centrify DirectControl as part of an integrated solution for security and directory services, your conceptual design should address how you want to use Zones, how you will migrate user identities to Active Directory, and how legacy identity stores such as /etc/passwd files and NIS servers fit into your solution. To develop your conceptual design with Centrify DirectControl in mind, you should consider the following: Whether you have multiple UNIX identity stores or a single identity store for all UNIX users. Which UNIX computers users log on to locally or remotely and which UNIX computers are used as application servers that only require infrequent administrative logins. The nature of the user community and how and when different users access UNIX resources. As an example, if you have multiple identity stores, your conceptual design should define how those identity stores should map to Centrify DirectControl Zones. If you already group users in NIS domains, you can keep this structure by mapping each NIS domain to a Zone. If you have a more ad-hoc environment, you should identify the computers that form a natural administrative set. For example, you may want to use Zones to group computers based on specific criteria, such as computers managed by the same security group, located in the same area, or used by the same department. In your conceptual design, you should also determine how various computers are used. For example, you should determine which computers users log on to directly and which computers are used as application servers that only require administrative access for housekeeping purposes. You should consider how many users log on to different computers and the tasks different sets of users perform on those computers. If all of your UNIX user identities (UIDs) and group identities (GIDs) are unique for all of the computers you want to bring into the Active Directory forest, you can use a single Zone. For simplicity or migrating in phases, you can start with a single Zone and add Zones over time, but your conceptual design should take into account this migration strategy and Zone design. Logical Design of Centrify DirectControl Solution With Centrify DirectControl, many of the logical design considerations that were required for a pure Kerberos / LDAP solution are no longer applicable. This is because DirectControl automatically handles the configuration of many of the supporting services that are required to reach the End State. For example, when DirectControl gets installed, the time service and time synchronization elements that are required for proper Kerberos operation are automatically setup correctly without the need for user intervention. Likewise, the configuration of UNIX components such as PAM and NSS are also automatically configured when DirectControl is installed. Another logical design consideration highlighted in other solutions is the strategy for handling Active Directory schema extensions for storing UNIX user attributes such as a UID or home directory. DirectControl simplifies the whole schema extension issue by simply eliminating the need for any schema extensions. Instead, DirectControl automatically stores UNIX user attributes in a well defined Active Directory storage class reserved for use by applications. Again, using the DirectControl Zones feature, multiple sets of UNIX user attributes can be tied to a single Active Directory user. Management of these attributes can be accomplished by using the Active Directory Users and Computers MMC or the Centrify Administrator Console. If the organization has already deployed Microsoft-supported UNIX schema extensions, such as the UNIX extensions included with Microsoft Windows Services for UNIX, then DirectControl can be easily configured to use that storage mechanism in addition to or as an alternative to DirectControl Zones. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 14

20 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 15 Figure 1.5. An example of the internal Active Directory storage hierarchy for a DirectControl Zone Since DirectControl Zones add numerous possibilities for dealing with better role-based access control and enabling the easy migration from existing UNIX directories, the organization should evaluate and create a logical design and plan for how Zones are used. This of course only applies if DirectControl is selected as the method for reaching the End State. Some of the considerations for how to apply Zones in the logical design include: Using Zones to address multiple legacy UIDs and enable rapid migration to Active Directory For existing UNIX systems that have LDAP, NIS or /etc/passwd based directories, the user information in these directories can be directly imported into multiple DirectControl Zones. Typically the design would call for one Zone for each substantially distinct legacy directory store. Usernames in each Zone are then mapped to existing Active Directory user accounts. This allows the UNIX identity system to be immediately moved to Active Directory without forcing a change of UIDs on the legacy UNIX system. Having the option to retain legacy usernames and UIDs is a major design consideration since the alternative of manually changing UID ownerships and name-associated files on the UNIX system, for every user, could be an enormous task and an obstacle to a successful migration. Using Zones and Services for UNIX to address other UNIX services tied to Active Directory For organizations that have deployed Services for UNIX and are using the SFU NIS Server or NFS services, it is likely that they have extended the Active Directory schema using SFU. If this is the case, the logical design should include reserving a Zone for the SFU-enabled user accounts, since the UNIX attributes stored with each account will continue to be used once this new project is completed. DirectControl fully supports mapping the SFU user attributes into a DirectControl Zone. Using Zones, Group Policy and other methods for enabling true role-based access control One of the most powerful capabilities enabled with Zones is the ability to manage access to systems by using a logical design of Zones mapped to roles and organizations. The organization of Zones could be designed around geographic divisions (e.g. a Zone for Europe, a Zone for Asia), around functional groups (e.g. a Zone for Engineering, a Zone for HR) or any other user defined taxonomy. Since users only have access to systems in a Zone if they are explicitly added as members of that Zone, organizations have better control over access to system resources and data. Additionally, administration of each Zone can be delegated to non-administrator individuals on a Zone by Zone basis resulting in better control over the administration of all systems. Finally by adding controls using group memberships and Centrify s Group Policy for UNIX capabilities, access control is further refined. For example, it is possible to lock the configuration of privileged command execution by controlling the sudoers file via Group Policy. All of these access control capabilities are at the CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 15

21 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 16 organizations disposal as they create their logical plan for mapping user and group identities to intended resource use and data access. Multi-phase migrations of UNIX identities and UNIX identity consolidation using Zones Migrations are rarely completed in a single step. Due to schedules, system retirements, complexity and identity conflicts, an organization may chose to move some or all of the UNIX identity systems to Active Directory in phases. For example, the logical design may call for moving a NIS directory user account store into Active Directory without any modifications to the existing UNIX user attributes. This requirement may be called for if the UNIX systems have a large number of files with complex user and group ownership relationships and there is a desire to move quickly to Active Directory but have no disruption for users during the migration. Once the former NIS services have been transparently migrated to Active Directory, the IT organization may want to create a plan to eventually consolidate the multiple UNIX UIDs that each end user has. With DirectControl, this can be done in a number of ways based on the requirements and complexity of the organization. Complex designs incorporating some or all of the above elements Typically when migrating from one system to another there is seldom a single method or process that can be applied to all cases. The logical design of the identity migration and the organization of identity groups should be carefully mapped out with a goal of reaching the End State as quickly as possible and with the maximum flexibility for addressing role-based security, minimal end user disruption and no loss of functionality. The DirectControl suite offers numerous options to enable each of the requirements highlighted above. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 16

22 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 17 Figure 1.6 is a representation of a potential logical design for achieving the End State using Centrify s DirectControl solution. example.com Centrify Solution Time Service Existing schema or SFU schema DNS Service AD Users & Computers MMC Active Directory User Accounts LDAP Kerberos KDC Services Domain Trust dept.example.com DirectControl Admin Console Centrify ZoneA Maps & Store Centrify ZoneB Maps & Store Centrify ZoneC Maps & Store Windows Server 2003 Active Directory LDAP Kerberos KDC Services Windows Server 2003 Active Directory PAM / NSS DirectControl Agent PAM / NSS DirectControl Agent PAM / NSS DirectControl Agent AuthZ, AuthN Account Info AuthZ, AuthN Account Info UNIX/Linux Client In ZoneA UNIX/Linux Client In ZoneB UNIX/Linux Client In ZoneC Windows Client Kerberized and Directory-aware Logins and Applications Figure 1.6. Overview of a logical design for authentication, authorization and directory services using Centrify DirectControl For more information on how to use Zones to enable rapid migration to Active Directory, see the White Paper, Centrify's Solution for Migrating UNIX Directories to Active Directory. Physical Design of Centrify DirectControl Solution The physical design for authentication and authorization using Centrify DirectControl involves selecting the physical computers where you will install the Centrify DirectControl Windows components, the physical UNIX and Linux computers where you will install Centrify DirectControl Agents, and how you will monitor connectivity and bandwidth usage to verify performance, availability and access control goals. Typically the Windows components for DirectControl are installed on a Windows client system rather than on an Active Directory domain controller. DirectControl was designed this way so that administrators would not have to touch a production Active Directory domain controller. When DirectControl is installed by the administrator on this client system, new objects are automatically added to the Active Directory system and the DirectControl Administrator Console is installed on the client system. The Active Directory Users and Computers MMC is also extended with a new tab to enable the management of user UNIX attributes. Since these tools are most likely to be used by administrators, this system will probably be located in close proximity to one of the Active Directory domain controllers, such as the secure administrator console room in a data center. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 17

23 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 18 If you have a large UNIX environment, you should consider the number and locations of your Active Directory domain controllers. Your physical design should address the domain controllers different sets of UNIX computers should use and whether additional domain controllers should be added to handle the increased demand from UNIX computers and users. Planning should be made for addressing network bandwidth and latency as well as provisions for uninterrupted service in the event of the unplanned failure of a local domain controller. Since DirectControl supports the caching of user credentials, users will be able to continue to securely access systems that they have previously accessed even if the domain controller is not available. This is consistent with the behavior of a Windows XP system that has been joined to the domain and accessed by a domain user at least once. This new capability should be taken into consideration when building the physical design and location of domain controllers. DirectControl supports the secure exchange of Active Directory credentials in cross domain trusts and forests with multiple domains. This capability for example will enable planners to securely share application servers across multiple domains in the organization with the result of potentially reducing the number of physical servers. Finally, the DirectControl credential caching capability enables some new potential scenarios for the physical design of the network. The possibility now exists to have roaming Linux or UNIX users that are now able to securely log into the domain accounts on their systems, even if they are not on the same network as the domain controller. Figure 1.7 is an example of a physical design that leverages DirectControl for providing security and directory services to UNIX and Linux systems in a multi-domain environment. Centrify Solution WAN / VPN Active Directory AuthZ, AuthN Replication Cross domain trust Sun Solaris Server J2EE app server with DirectControl Windows Client with DirectControl Admin Console and ADUC MMC Windows Server 2003 Domain Controller with DirectControl Windows Server 2003 Domain Controller Windows app server Windows Server 2003 Domain Controller Windows app server Corporate LAN Branch LAN Windows Client UNIX/Linux Client with DirectControl Agent Single Username and Password for Windows, UNIX and Linux Clients Transparent Single Sign-On Access to Windows, UNIX and Linux apps Roaming UNIX/Linux Client with DirectControl Agent Single Username and Password and cached AuthZ and AuthN for disconnected UNIX and Linux Clients Windows Client UNIX/Linux Client with DirectControl Agent example.com dept.example.com Figure 1.7. Example of a physical design for authentication, authorization and directory services using Centrify DirectControl CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 18

24 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 19 Developing the Centrify DirectControl Solution This section describes the tasks that are required to use the Centrify DirectControl suite to implement the End State that is, using Active Directory to authenticate UNIX clients with Kerberos and to access UNIX authorization and identity information with LDAP. Although authentication and authorization services are treated separately in many parts of this guide, the DirectControl solution delivers a user experience for UNIX users that works seamlessly much like the user experience on Windows clients. After you install DirectControl, when a user attempts to log on to a UNIX computer, the user enters a username and password that is then validated by Active Directory through the underlying Kerberos authentication system. After the user is authenticated, Active Directory determines how the user can use the UNIX computer based on authorization properties associated with that user's account, the computer the user is logging on to, and the groups to which the user belongs. For example, a setting might be configured in Active Directory to prevent access to the computer at the time of day when the user attempts to log on. Even though the user is authenticated, the log on session fails because the user is not authorized to use the computer at that time. In addition, other properties associated with the user account are now stored in Active Directory and can be used to establish the user s session on the UNIX computer or used by applications on the UNIX computer. For example, the user s UNIX home directory is stored in Active Directory. After the user is successfully authenticated and authorized, this attribute is used to establish the user s home directory, which is then used during the log on session on the UNIX computer. DirectControl includes capabilities well beyond the scope of the End State solution described in this guide. For example, DirectControl includes a component for using Microsoft Group Policy to manage computer and user policies on UNIX and Linux computers. DirectControl also provides capabilities for seamless file sharing, a NIS passthrough server, and authentication modules for Web and application platforms. For more information related to capabilities in DirectControl that go beyond the End State, see Evolving the Centrify DirectControl Solution later in this guide, and see the Centrify Web site at Introduction and Goals The development information provided here focuses only on the aspects of DirectControl that directly support achieving the End State. Major Tasks and Deliverables This section describes the installation and configuration of DirectControl that you need to perform in order to develop the End State solution. The following list summarizes the major tasks required to install and configure DirectControl for this solution: Preparing your environment Install a domain controller, configure DNS, create test users and groups, and verify time synchronization. Choose DirectControl Zones or Active Directory schema extensions Decide whether to use DirectControl Zones, Active Directory schema extensions for SFU, or both, for storing UNIX user data. Install Centrify DirectControl on a Windows Server 2003 computer Decide whether to use a trial or commercial license, and then run the setup program to install DirectControl components on a Windows computer. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 19

25 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 20 Configure Active Directory with the first DirectControl Zone Use the Centrify DirectControl Setup Wizard to update Active Directory and to configure the default Zone. Enable Active Directory groups and users for UNIX Use the Centrify DirectControl Setup Wizard to update Active Directory and to configure the default Zone. Install the Centrify DirectControl Agent on UNIX or Linux Run the installation script and select the tasks to perform for the specific UNIX or Linux computer on which you want to install DirectControl. Join the Active Directory Domain Run the adjoin command to add a selected UNIX or Linux computer to the Active Directory domain. Restart running services Restart specific services on UNIX computers, or reboot to restart all services. Preparing Your Environment The following sections describe how to prepare your environment for this security and directory services solution for the End State. This development environment serves as a proof-of-concept for this solution. Preparing your environment requires the following tasks: Install and Configure Active Directory Domain Controllers Configure the DNS Server Create Test Users and Groups Verify time synchronization Installing and Configuring Active Directory Domain Controllers An Active Directory domain controller provides authentication and authorization data, serving as both the Kerberos Key Distribution Center (KDC) and as the authorization data store. These instructions call for installation and configuration of two domain controllers to allow for testing of UNIX authentication and authorization under failover conditions. Optionally, you can skip installation of the second domain controller for the initial configuration and install it at a later time. To install and configure Active Directory and DNS 1. Install the Windows Server 2003 Standard Edition operating system on a computer. 2. Use the Active Directory Installation Wizard (dcpromo) to install and configure the server as an Active Directory domain controller. Use the default values supplied by the installation wizard. 3. Configure a Domain Name System (DNS) server role on the domain controller: Create both forward and reverse lookup zones. Select the option Allow both nonsecure and secure dynamic updates. Make sure that both the forward and reverse lookup zones use Active Directory integrated DNS. Configure DNS for the server s local network connection. 4. Install the Support Tools from the Windows 2003 Server CD. 5. Install a second Window 2003 server, and use the Active Directory Installation Wizard (dcpromo) to configure it as a second domain controller. 6. Install DNS on the second Windows 2003 server. Create both forward and reverse lookup zones. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 20

26 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 21 Select the option Allow both nonsecure and secure dynamic updates. With this configuration, the DNS data from the first DNS server automatically replicates to the second DNS server. For information about installing, configuring, and securing Active Directory, see the documentation that comes with Microsoft Windows Server For information about installing and configuring DNS, see "Deploying Domain Name System (DNS)" in the Windows Server 2003 Deployment Guide at: c-06c3-4b92-ba32-63d895a7924b.mspx. Configuring the DNS Server The preceding section describes how to configure the DNS server role on the Active Directory domain controllers for your test environment. If you do not use the Windows Server 2003 Active Directory domain controller as the DNS server or if you do not allow dynamic updates, additional configuration steps are necessary. This guide assumes that you use the same Windows 2003 DNS server that your Active Directory server uses. For information about other configuration options, see the Centrify DirectControl Administrator s Guide. Creating Test Users and Groups It is recommended that you add all UNIX users, computers, and groups under a separate Active Directory organizational unit (OU). Using a separate container lets you apply unique group policies to the objects used by UNIX. To create OUs, users, and groups for UNIX objects 1. Log on to a Windows computer on which Active Directory Users and Computers is installed with an account that has privileges for adding new users and groups. 2. Open Active Directory Users and Computers. 3. Create a new OU for testing UNIX users and groups. For example, create a new OU under the domain called MyUNIXTest: a. In the console tree, right-click the domain name, point to New, and then click Organizational Unit. b. In New Object Organizational Unit, type MyUNIXTest under Name, and then click OK. 4. Create OUs for testing UNIX users, groups, and computers. For example, create OUs named UNIXUsers, UNIXGroups, and UNIXComputers under MyUNIXTest: a. Right-click MyUNIXTest, point to New, and then click Organizational Unit. b. In New Object Organizational Unit, type UNIXUsers under Name, and then click OK. c. Repeat steps a and b to create OUs for UNIXGroups and UNIXComputers. 5. Create two test user accounts under the UNIXUsers OU. For example, create testuser and testadmin: a. Right-click UNIXUsers, point to New, and then click User. b. In New Object - User, in Full name type testuser, in User logon name, type testuser, and then click Next. c. Type and confirm a password, clear User must change password at next logon, select Password never expires, and then click Next. CAUTION In a test environment, you might want to choose these options. In a production environment, choose more secure options. d. Click Finish. e. Repeat steps a d to create another test user account named testadmin. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 21

27 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Create two test group accounts under the UNIXGroups OU. For example, create FinanceUsers and FinanceAdmins: a. Right-click UNIXGroups, point to New, and then click Group. b. In New Object - Group, in Group name, type FinanceUsers, and then click OK. c. Repeat steps a and b to create another test group account called FinanceAdmins. You can use these user and group accounts to perform a quick validation of the DirectControl solution and to verify authentication and authorization during the testing and stabilization phase. For more information, see Performing Quick Validation Tests later in this section, and see Testing and Stabilizing Authentication and Authorization later in this guide. Verifying Time Synchronization Check that all system clocks on the computers that you use in the test environment are synchronized and use the Network Time Protocol or other mechanism to stay closely synchronized. This is a Kerberos requirement. All Kerberos tickets are time-stamped, and the Kerberos protocol has a narrow tolerance for discrepancies between system clocks. By default, the join Active Directory (adjoin) command (described later) performs this synchronization between the UNIX host and Active Directory when you join the domain. Developing the Components of the Solution The following subsections provide detailed instructions for performing the major development tasks. You can find additional information about installing and configuring DirectControl in the documentation that accompanies the product, including the Centrify DirectControl Administrator s Guide. Choosing DirectControl Zones or Active Directory Schema Extensions As mentioned earlier, DirectControl supports both the use of DirectControl Zones and the use of SFU schema extensions for storing UNIX user attributes in Active Directory. Before installing DirectControl, you should evaluate whether to use SFU extensions, DirectControl Zones, or both mechanisms for storing UNIX user data. For example, if SFU is already in use in your organization and UNIX user information is already stored in Active Directory by using the SFU extensions, it might be appropriate to use the SFU Active Directory extensions and the existing user account information. If your organization has no plans to use SFU, the most appropriate choice might be to use DirectControl Zones. If you currently use SFU but also need to migrate other UNIX directory stores to Active Directory, the best approach might be to implement a solution that uses both SFU extensions and DirectControl Zones. Important Extending the Active Directory schema requires care. To reduce the chance that problems might arise during the schema extension process, the recommended practice is to select extension mechanisms that Microsoft supports. Before you extend the schema, see "Extending the schema" in the Windows Server 2003 Help and Support Center. Installing Centrify DirectControl on Windows This section covers choosing a trial or commercial license for Centrify DirectControl and describes how to install Centrify DirectControl Management Tools on a computer running Windows. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 22

28 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 23 Managing DirectControl Licenses Centrify DirectControl is commercially licensed software. A valid license key is required for extended use of the software. If you want to evaluate the software, you can opt to choose a 30-day trial license at the time that you install the software on a Windows computer. If, after the evaluation, you choose to purchase a license key, you can easily upgrade the product to a full commercial license through the Centrify DirectControl Administrator Console that you install in Configuring Active Directory with the First DirectControl Zone later in this section. You can find information about licensing, prices and evaluation copies of DirectControl through the Centrify Web site at or by calling the Centrify sales line at Installing Centrify DirectControl Management Tools on Windows Before you can add UNIX computers to Active Directory, you must use the setup program to install the Centrify DirectControl Management Tools on a Windows computer in the Active Directory forest. The setup program copies the necessary DirectControl files to the local Windows computer. You do not need any special permissions to run the setup program other than permission to install files on the local computer. To install the Centrify DirectControl Management Tools on Windows 1. On a Windows-based computer onto which you want to install the DirectControl Management Tools, locate the Windows folder on the Centrify DirectControl CD or in the folders extracted from a Centrify DirectControl zip file. 2. Double-click Setup.exe to start the setup program. 3. At the Welcome page, click Next. 4. Review the terms of the license agreement. If you accept the license agreement, select I agree to these terms, and then click Next. 5. Type your name and company name, select who can use this application on the computer, and then click Next. 6. Select the components that you want to install, and then click Next. Note Typically, the first time you run the setup program, you accept the default option to install all components. However, you can choose a custom installation if you prefer to do so. 7. Click Next to install components in the default location, or click Browse to choose a different location, and then click Next. 8. Verify your installation settings, and then click Next. 9. Click Finish to complete the installation. When you run the setup program the first time with the default components selected, the setup program installs the Centrify DirectControl Management Tools, which include: The Centrify DirectControl property extensions for Active Directory Users and Computers. The Centrify DirectControl Administrator Console and extensions for managing NIS maps in Active Directory. The Centrify DirectControl Administrative Templates for configuring UNIX group policies. The Centrify DirectControl Administrator Console Help and other documentation. The Centrify DirectControl API packaged in a dynamic link library (DLL). The Centrify DirectControl API provides the Component Object Model (COM) objects that convert Active Directory application objects into Centrify-enabled UNIX user, group, computer, and Zone objects. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 23

29 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 24 Configuring Active Directory with the First DirectControl Zone When you start the Centrify DirectControl Administrator Console for the first time on the Windows computer onto which you installed the DirectControl Management Tools, a Setup Wizard is displayed. The wizard helps you configure the default properties for your first Centrify DirectControl Zone. In addition, the Setup Wizard makes it easier for you to control where Centrify DirectControl container objects are placed and who has permission to modify the objects within those containers. Because the Centrify DirectControl Zone Setup Wizard creates container objects, however, you might need to log on with an account that has Enterprise Administrator privileges. This requirement depends on the specific permissions your organization has configured for different classes of users. For example, if your organization permits accounts with membership in the Domain Admins group, or other types of accounts, to create parent objects in Active Directory, membership in the Enterprise Admins group is not required. You must complete all of the configuration steps, including those that set up the default Zone, before you begin adding computers to the domain. For more information about any configuration step, see the Centrify DirectControl Administrator s Guide. To start the Setup Wizard and update the Active Directory forest 1. On a Windows-based computer onto which you installed the DirectControl Management Tools, open the Centrify DirectControl Administrator Console. 2. At the Welcome page, click Next. 3. Select Use currently connected user credentials to use your current log on account, or select Specify another user s credentials and type a user name and password, and then click Next. 4. Click Next to accept the default container location for license keys. 5. Select Install the 30 day evaluation license keys, and then click Next. 6. Select Create private group container, and then click Next. 7. Click Next to accept the default container location for private groups. 8. Select Create default Zone container, and then click Next. 9. Click Next to accept the default container location for Zones. 10. Select Create default Zone, and then click Next to configure the default Zone. 11. Click Next to accept the default location for the default Zone. 12. Click Next to accept the default numeric user identifier (UID) to start with for new UNIX users in the default Zone. 13. Click Next to accept the default numeric group identifier (GID) to start with for new UNIX groups in the default Zone. 14. Click Next to accept the default home directory path for creating new UNIX home directories in the default Zone. 15. Select the type of UNIX shell to use by default for users in the default Zone (for example, select /bin/sh or /bin/bash), click Set as default, and then click Next. 16. Select Private group as the default primary group for users in the default Zone, and then click Next. Note This option allows each UNIX user to have a private Active Directory group as the primary group. If you select this option, private Active Directory groups are created automatically when you add UNIX users. 17. Select Set up property pages to allow the Centrify Profile properties to be displayed in Active Directory Users and Computers, and then click Next. 18. Confirm your configuration settings, and then click Finish. After you run the DirectControl Setup Wizard and configure Active Directory, DirectControl makes minor modifications to your Windows Active Directory environment. The following subsections describe some of these changes. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 24

30 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 25 Zones UNIX Attribute Storage in Active Directory After you run the DirectControl Setup Wizard, Centrify DirectControl information is stored in Active Directory and is visible in the Program Data folder in the Active Directory Users and Computers console tree. This structured area, which is the standard area used to store application-related information, includes centralized Centrify license information and structures for each Zone that is created. Each Zone area contains information about the UNIX computers that are members of the Zone as well as information about users and groups that have access to the Zone. Optionally, you can also store data under each Zone structure that describes the NIS maps that apply to the Zone. Typically, you do not view or modify any of the Zone information in the Program Data folder in Active Directory Users and Computers directly. Instead, use the Centrify DirectControl Administrator Console or Active Directory Users and Computers user, group, or computer property pages to make additions or changes to DirectControl data. The following screenshot shows Centrify information stored in Active Directory Users and Computers under the Program Data folder. To display the Program Data folder, you must select Advanced Features from the View menu in Active Directory Users and Computer. This example shows a typical Zone structure. Figure 1.8. Example of a typical Zone structure as viewed in Active Directory Users and Computers CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 25

31 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 26 Centrify DirectControl Administrator Console Includes MMC interface The Centrify DirectControl Administrator Console is the main tool for managing all aspects of the DirectControl product. This tool uses the same interface that is used by Microsoft MMC tools and therefore can run side-by-side with Microsoft tools that you use to manage the Active Directory environment, such as Active Directory Users and Computers. The following screenshot shows the top-level task screen for the DirectControl Administrator Console. Figure 1.9. The Centrify DirectControl Administrator Console You can install the Centrify DirectControl Administrator Console on any Windows-based computer that is joined to the Active Directory forest. The Console includes a comprehensive online help system that is installed with the Console. Multiple consoles can be installed on computers across the forest. Because the information used by the console is stored centrally in Active Directory, a consistent view of the data is provided across multiple running instances of the Console. Modifications to Active Directory Users and Computers Installing the DirectControl Windows components on a Windows-based computer modifies Active Directory Users and Computers if Active Directory Users and Computers is installed on the Windows computer at the time that you run the DirectControl Setup Wizard. You can see the Centrify folder and its subfolders added to Active Directory Users and Computers under Program Data in Figure 1.8 Example of a typical Zone structure as viewed in Active Directory Users and Computers earlier in this section. Another important change occurs on the properties page for a user or a group. A new tab called Centrify Profile is added to each user or group properties page so that you can view or modify UNIX attributes associated with the user or group along with other Active Directory properties. You can see an example of the Centrify Profile tab in Figure 1.2. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 26

32 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 27 SFU schema attributes appear as a Centrify Zone on the user properties page in Active Directory Users and Computers" in the section "Microsoft Services for UNIX schema extensions" earlier in this guide. You can also modify these properties with the Centrify DirectControl Administrator Console. Enabling Active Directory Groups and Users for UNIX When you use DirectControl to join a UNIX or Linux computer to an Active Directory domain, the same type of digital identity is used for the new UNIX or Linux account as is used for a Windows account. When you join a computer to the domain, a computer account is set up for the UNIX computer in Active Directory. You can view or edit this computer account in either Active Directory Users and Computers or in the DirectControl Administrator Console. Although you typically create Active Directory user or group accounts by using Active Directory Users and Computers, you can also import users or groups from UNIX configuration files or from NIS domains. After a user account is stored in Active Directory, you can enable or disable access to UNIX computers as needed. Giving UNIX Access to Groups Before giving UNIX access to users (covered in the next section), you must first create at least one UNIX-enabled Active Directory group account that you can use for the primary group identifier (GID) for all UNIX-enabled users (or for a subset of UNIX-enabled users). Depending on your site configuration, you might want to provide different default groups for different users in your actual deployment. You can use either of the following two methods to give an existing Active Directory group access to UNIX: You can use Active Directory Users and Computers to open the Properties page for a group, and then click the Centrify Profile tab to specify UNIX properties for the group. You can use the Centrify DirectControl Administrator Console to add an existing Active Directory group to any Centrify DirectControl Zone. The following procedure shows you how to use the second method. To add Active Directory groups to a Centrify DirectControl Zone 1. On the Windows computer, open the Centrify DirectControl Administrator Console. 2. In the console tree, click Zones, and then open the Zone name to which you want to add the Active Directory group. For example, open the default Zone. 3. Right-click Groups, and then click Add Group to Zone. 4. Type a search string to locate the group, and then click Find Now. For example, type fin to display the groups FinanceUsers and FinanceAdmins. 5. Select both groups in the results, and then click OK. 6. Review the UNIX profile settings for the FinanceAdmins group, make any changes, and then click OK. 7. Review the UNIX profile settings for the FinanceUsers group, make any changes, and then click OK. 8. After you add the group to the Zone, you can view or change the UNIX properties by opening the group s property page in Active Directory Users and Computers or in the DirectControl Administrator Console and selecting the Centrify Profile tab. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 27

33 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 28 The following screenshot shows an example of the Centrify Profile properties for a UNIX-enabled group. Figure Centrify Profile properties for a UNIX-enabled group. Giving UNIX Access to Users You can use either of the following two methods to give an existing Active Directory user access to UNIX: You can use Active Directory Users and Computers to open the Properties page for a user, and then click the Centrify Profile tab to specify UNIX properties for the user. You can use the Centrify DirectControl Administrator Console to add an existing Active Directory user to any Centrify DirectControl Zone. The following procedure shows you how to use the second method. To add users to a Centrify DirectControl Zone 1. On the Windows computer, open the Centrify DirectControl Administrator Console. 2. In the console tree, click Zones, and then open the Zone name to which you want to add the Active Directory user. For example, open the default Zone. 3. Right-click Users, and then click Add User to Zone. 4. Type a search string to locate the group, and then click Find Now. For example, type tes to display the users testuser and testadmin. 5. Select both users in the results, and then click OK. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 28

34 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Review the UNIX profile settings for the testadmin user, make any changes, and then click OK. 7. Review the UNIX profile settings for the testuser user, make any changes, and then click OK. 8. After you add the user to the Zone, you can view or change their UNIX properties by opening the user s property page in Active Directory Users and Computers or the DirectControl Administrator Console and selecting the Centrify Profile tab. The following screenshot shows an example of the Centrify Profile properties for a UNIX-enabled user. Figure Centrify Profile properties for a UNIX-enabled user. Optionally Mapping Root and Privileged UNIX Accounts to Active Directory Accounts By default, local UNIX user accounts are still valid on the UNIX computers that join the Active Directory domain. You can enable or disable access selectively for individual local users and groups, as needed, by modifying Centrify DirectControl group policies or the Centrify DirectControl configuration file on any computer. For some local UNIX accounts, however, you might want to control access by mapping a local user account to an Active Directory account. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 29

35 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 30 Because mapping a local UNIX user account to an Active Directory account gives you better control over password policies, this technique is especially useful for controlling access to accounts that have special privileges. For example, the local superuser or root user account on each UNIX computer has broad authority. By mapping this account to an Active Directory account and password, you can: Control access to the root user account because users cannot log on unless they know the Active Directory password for the account. Ensure that Active Directory password policies are applied to the root user account password so that each root user password is complex enough or changed frequently enough to conform with established security policies. Although mapping is especially useful for the root user account, you can also map any local UNIX user account to an Active Directory account. For example, many applications have their own special user account with permission to perform restricted operations. If you want to enforce Active Directory password policies for such an account or for any other local user account, you can do so by mapping the local UNIX account to an Active Directory account. Mapping the Root Account to an Active Directory Account for Increased Security The most likely candidate for account mapping is the root user because every UNIX computer has its own root user account. Typically, however, you do not want to create a single user in Active Directory for the root user account because doing so compromises the security of your network, giving anyone with the root password root-level access to every UNIX computer in the forest. To prevent this problem, DirectControl allows you to map the local root user account to another user name in Active Directory for password validation. You can specify a separate Active Directory user account for each UNIX computer so that each root user has a unique name and password. Alternatively, you can use one Active Directory user account for all root users of a group of UNIX computers so that there are fewer accounts and passwords to manage. For example, if you have a group of computers in a DirectControl Zone called WebFarm and you want to use one Active Directory password for the root account on all of these computers, create an Active Directory user account called root_webfarm, and then map that user to the local root user by using the User Map group policy for UNIX computers. When a user logs on as root, the user is authenticated with the password for the Active Directory account that you created. If, for example, the user logs on with a root user account and the password &tiger1, Centrify DirectControl checks the Active Directory password for the account (such as root_webfarm) to which the root user is mapped. If the password &tiger1 is valid for the Active Directory account, the user is authenticated and allowed to log on. By default, DirectControl maps the local root user account to an Active Directory account called root_zonename. However, you can change the Active Directory account you want to map to on any computer by using group policy or by modifying the computer s Centrify DirectControl configuration file, /etc/centrifydc/centrifydc.conf. You map the local root user account to the default Active Directory user account, by creating the Active Directory user account that uses the root_zonename naming convention. To map the local root user account to the default Active Directory user account 1. Create the Active Directory user account that you want to use. For example, if you want to use the same Active Directory account for the root account on all computers in the Zone WebFarm, create an Active Directory user account called root_webfarm. 2. On a UNIX computer, open the Centrify DirectControl configuration file /etc/centrifydc/centrifydc.conf. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 30

36 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Modify the local account mapping so that the local root user is mapped to the Active Directory account you created. You can use environment variables such as $DOMAIN, $ZONE, or $HOSTNAME if you used the domain, Centrify Zone, or host name in the Active Directory account name. For example: pam.mapuser.root: root_$zone If you want to use environment variables for mapping or do not want to apply group policies, you can edit the configuration file. Alternatively, you can use Active Directory group policies to map local UNIX users and groups to Active Directory accounts. For more information about mapping local UNIX accounts in Active Directory, see the Centrify DirectControl Administrator s Guide. Installing the Centrify DirectControl Agent on UNIX or Linux The DirectControl components that you need to install on each UNIX computer that you want to join to an Active Directory domain are bundled together in a platform-specific software package. The information included in this guide focuses on implementing DirectControl with Red Hat Linux version 9 and Sun Solaris UNIX version 9. The procedures in this guide were developed on a computer running Red Hat Linux version 9. As of this writing, Centrify DirectControl supports the following platforms: AIX Debian Linux HP-UX Mac OS X Red Hat Solaris SuSE VMware ESX Centrify continually adds support for new operating system platforms and platform versions. For the latest information about supported platforms and versions, see Centrify s supported platforms Web page on: You can install these components by using a native installation mechanism for each platform, using either of the following two methods: Use the Centrify DirectControl installation script to automatically invoke the proper installation mechanism for a computer s local operating system by specifying the proper command-line options. An example of this type of installation is provided in the next procedure, "To install the Centrify DirectControl Agent on a Linux or UNIX computer." Manually install any package by running the appropriate installation command yourself. The following steps assume that you choose the first method and use the Centrify DirectControl installation script to install the Centrify DirectControl Agent. Alternatively, if you want to install the package yourself, see the Centrify DirectControl Administrator s Guide for the installation command to use for the specific version of Linux or UNIX running on the computer on which you want to install the package. To install the Centrify DirectControl Agent on a Linux or UNIX computer 1. On the Linux or UNIX computer, log on as or switch to the root user. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 31

37 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Depending on whether you choose to install the DirectControl Agent from a CD or download it, perform the appropriate step: Install Agent from CD To mount the CD-ROM device, use the appropriate command for the local computer s operating environment. For example, type: mount /mnt/cdrom Download Agent from FTP or Web Download the DirectControl Agent by using FTP or from the Centrify Web site at 3. Change to the UNIX directory on the CD or to the directory where you downloaded the Agent package. For example, type: cd UNIX 4. Run the install.sh script to start the installation of DirectControl on the local UNIX computer. For example, type:./install.sh 5. Follow the prompts displayed to select the services you want to install and the tasks you want to perform. For example, you can choose whether to install the files for configuring authentication for Tomcat applications (Tomcat is a Java-based web application platform) and whether you want to join a domain automatically at the conclusion of the installation. Depending on your selections, you might need to provide additional information, such as the location of the Tomcat installation directory or the user name and password to use to join the domain. Directory and File Changes Made to UNIX by DirectControl When you complete the installation of the DirectControl Agent, the local computer is updated with the directories and files for DirectControl listed in the following table. Table 1.3. Directory and File Changes after Installing the DirectControl Agent Directory /etc/centrifydc /etc/init.d /lib /usr/share/centrifydc /usr/share/man Contains Centrify DirectControl Agent configuration files. Centrify DirectControl Agent startup / shutdown script files. NSS and PAM libraries. Java, Kerberos, and service library files used by the Centrify DirectControl Agent and other modules to enable the following: Centrify DirectControl for Apache Centrify DirectControl for Tomcat Centrify DirectControl for JBoss Centrify DirectControl for WebLogic Centrify DirectControl for WebSphere Kerberos-related operations and other DirectControl operations Diagnostic and service startup files. Mapper and script files for Group Policy Man pages (UNIX online manual or help pages) for various Centrify DirectControl commands. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 32

38 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 33 /usr/sbin & /usr/bin /var/centrifydc Command-line programs to perform Active Directory tasks, such as joining the domain or changing a user password. No files until you join the domain. After you join the domain, several files are created in this directory to record information about the Active Directory domain to which the computer is joined, the Active Directory site the computer is part of, and other details. Additional Changes Made to UNIX by DirectControl The following subsections describe additional changes made to UNIX by DirectControl when you install the DirectControl Agent on a UNIX computer. NSS When you join a UNIX computer to an Active Directory domain with DirectControl s adjoin command, the NSS configuration file, /etc/nsswitch.conf, is automatically updated to use the Centrify DirectControl NSS module first. Using the Centrify DirectControl adclient daemon and the service library, the Centrify DirectControl NSS module accesses network information that is stored in Active Directory by using LDAP calls. The adclient daemon then caches responses locally to ensure faster performance, reduce network traffic, and allow for disconnected operation. The cache contents are encrypted to ensure the security of the responses. PAM When you join a UNIX computer to an Active Directory domain, the Centrify DirectControl PAM component is automatically placed first in the PAM stack in the /etc/pam.d/systemauth file so that Active Directory authentication takes precedence over other authentication methods. In addition, PAM is configured with a number of default policy settings. You can customize these policies locally or through a combination of local and Active Directory settings. Kerberos When you install the DirectControl Agent on a UNIX computer, a full implementation of MIT Kerberos is also installed. Massachusetts Institute of Technology (MIT) is the original creator of Kerberos. The MIT Kerberos implementations for UNIX and Linux systems are available as Open Source and are widely used on both Open Source Linux platforms and commercial UNIX platforms. By including a fully functional Kerberos environment, DirectControl frees the user from the task of finding a Kerberos environment that works correctly with Active Directory. When you join a UNIX computer to an Active Directory domain, DirectControl automatically configures the UNIX computer with all of the correct settings needed to allow existing Kerberized applications to work with Active Directory without requiring manual configuration. The adclient daemon automatically creates and maintains the Kerberos configuration file, krb5.conf, and the krb5.keytab service ticket file. The configuration file is initially created with information collected by probing DNS and Active Directory, with the default domain set to the domain that the computer has joined. Whenever a logon or ticket validation is performed with a domain that is not in the configuration file, the configuration file is updated so that it includes the new domain. Although the adclient daemon can automatically update the file as needed, it does not destroy existing configuration entries CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 33

39 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 34 that you might have added manually. Because of this, DirectControl works seamlessly with your existing Kerberos-enabled applications. The following figure illustrates the NSS, PAM, and Kerberos services that are configured and enabled as part of the DirectControl configuration. Figure NSS, PAM, and Kerberos Services Enabled by DirectControl DirectControl daemons The DirectControl software on the UNIX computer installs two daemons that start at system startup. The first is adclient, which is the most important element in the Centrify DirectControl Agent architecture. The second, adnisd, is an optional daemon to handle servicing NIS requests. adclient The DirectControl adclient daemon manages all of the LDAP and Kerberos communications between Active Directory and the UNIX computer on which the daemon is installed. The adclient daemon performs several key tasks related to synchronizing the local computer s time with the clock maintained by Active Directory. Synchronization ensures that the timestamp on Kerberos tickets issued by the KDC are within a valid range. adnisd The DirectControl adnisd daemon intercepts requests to a NIS server for directory information and redirects these requests to Active Directory. Setting up and enabling the DirectControl NIS Server is outside the scope of this guide. For more information about configuring a UNIX computer with the DirectControl NIS Server, see the Centrify DirectControl Administrator s Guide. Joining the Active Directory Domain After you install Centrify DirectControl on a Windows computer and install the DirectControl Agent on one or more UNIX computers, you can join the UNIX computer to any Active Directory domain in the forest and can use existing Active Directory groups CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 34

40 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 35 and user accounts to log on to UNIX computers and run directory-enabled or Kerberosenabled UNIX programs. Understanding the adjoin command You must run the adjoin command on each UNIX or Linux computer included in the deployment to join the UNIX computers to Active Directory. Use the following parameters. adjoin [options] domain In addition to specifying the Active Directory domain name, you can specify one or more options. The key options for the adjoin command are described in the following table: Table 1.4. Key Options for the Adjoin Command Option --user --password password --zone Zone Description Active Directory user You must use a user account that has Add workstations to domain privileges. User s Active Directory password If you do not type the password when you specify the adjoin command, adjoin prompts you to provide the password. DirectControl Zone to which you want to join the UNIX computer For example, a user named jeffhay has the right to join computers to the Active Directory domain, he uses the password not24get, the Zone to which he wants to join the computer is called HR, and the Active Directory domain to which he wants to join the UNIX computer is called contoso.com. Jon Smith types the following command to join the UNIX computer to Active Directory is: adjoin --user jeffhay --password not24get --zone HR contoso.com Alternatively, if Jon Smith wants to enter the password interactively, he can use the following command: adjoin --user jeffhay --zone HR contoso.com Using adjoin to join a UNIX or Linux computer to Active Directory You can use the following procedure to join a UNIX or Linux computer to Active Directory. To join an Active Directory domain with Centrify DirectControl 1. On a UNIX computer, log on as or switch to the root user. 2. Run the adjoin command to join the UNIX computer to an existing Active Directory domain. Use a fully-qualified domain name. For example, type the following command to join the sales.contoso.com domain with the user account jeffhay and to place this computer in the default Zone: adjoin --user jeffhay sales.contoso.com The user account you specify must have permission to add computers to the specified domain. In some organizations, this account must be a member of the Domain Admins group. In other organizations, the account might be any valid domain user account. If you do not use the --user option to specify a user, the adjoin command uses the domain Administrator account by default. 3. Type the password for the specified user account. If DirectControl successfully connects to Active Directory and joins the UNIX computer to the Active Directory domain, a confirmation message is displayed. A new Active Directory computer account is automatically created and the UNIX computer is configured to allow authorized users to log on. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 35

41 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 36 In addition to creating a new Active Directory computer account and configuring the UNIX computer to allow authorized users to log on, the join operation also performs the following tasks: Synchronizes the local computer s time with Active Directory to ensure that the timestamp of Kerberos tickets is within the acceptable time period to allow for authentication. Updates the Kerberos principal service names used by the host computer, generating new Kerberos configuration files, krb5.keytab files, and new service keys for the host and for the HTTP service. Sets the password on the Active Directory computer account for the UNIX computer to a randomly-generated password. The password is encrypted and stored locally to ensure that only DirectControl controls the account. Starts the Centrify DirectControl daemon (adclient). For more information about the options you can specify when joining a UNIX computer to an Active Directory domain, see the section Joining UNIX Computers to Active Directory later in this guide and see the Centrify man page for the adjoin command or the Centrify DirectControl Administrator s Guide. Restarting Running Services You might need to restart certain services on UNIX computers on which you install the Centrify DirectControl Agent to ensure that those services reread the system configuration files that DirectControl updates. The most common services that must be restarted are sshd (the secure shell [SSH] login daemon) and gdm (the GNOME Display Manager [GDM] graphical login program). If you use these services, you need to restart them. For example, to restart sshd, type the following command: /etc/init.d/sshd restart Alternatively, you can reboot the computer to restart all services. Because the applications and services running on different servers might vary, a good practice is to reboot each computer to ensure that all of the applications and services on the computer read the DirectControl configuration changes. Performing Quick Validation Tests At this stage in the Development phase, it is advisable to run validation tests to ensure that the software is installed correctly and is providing basic services. Later, the section Testing and Stabilizing Authentication and Authorization provides more comprehensive information about how to test the DirectControl solution. Confirming Configuration of Users and Groups After completing the steps described earlier in the sections Creating Test Users and Groups, Configuring Active Directory with the first DirectControl Zone, and Enabling Groups and Users for UNIX, you have a default Zone with two users (testuser and testadmin) and two groups (FinanceUsers and FinanceAdmins) enabled as members of the default Zone. For this validation test, you use the following procedure to check that testuser and FinanceUsers are configured correctly. To confirm that testuser and FinanceUsers are configured correctly 1. On a Windows computer on which you ran the Centrify DirectControl Setup Wizard, open Active Directory Users and Computers. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 36

42 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Right-click testuser, click Properties, and then select the Centrify Profile tab to see properties similar to the following screenshot: 3. Confirm that testuser has been added to the default Zone and that the Enable user access to this Zone setting is selected. Confirming UNIX Computer Membership in Active Directory The next validation test is to confirm that a UNIX computer is a member of the Active Directory domain. After you use the install.sh script to install the DirectControl software for UNIX on a UNIX computer as described earlier in the section Installing the Centrify DirectControl Agent on UNIX and Linux and after performing the steps described earlier in the sections Joining the Active Directory Domain and Restarting Running Services, the UNIX computer is joined to Active Directory. You can use the following procedure to confirm the UNIX computer s membership in Active Directory on the UNIX computer itself or by using Active Directory Users and Computers. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 37

43 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 38 To confirm Active Directory functionality on a UNIX computer 1. On a UNIX computer, type the following Active Directory information (adinfo) command: adinfo --diag 2. Confirm that the computer named centrifyrh9 is joined to the domain by looking for a confirmation line such as the following: Joined as: centrifyrh9 The complete output displays information about the Active Directory domain to which the UNIX computer is joined, including LDAP settings and Kerberos settings as well as network and DNS parameters. 3. Confirm that the adclient daemon is running by executing the ps, or process status, command and looking for the instance of adclient. For example, type: ps -aef grep adclient Output similar to the following should be displayed: root :50? 00:00:29 /usr/sbin/adclient For more information about the ps command, see the UNIX man pages 4. Confirm that NSS is using Active Directory correctly by running the getent command. For example, type: getent passwd The output lists all local user accounts and all Active Directory user accounts for members of the default Zone. For more information about the adinfo command, which displays information about the current DirectControl configuration, see the Centrify man page for adinfo. For more information about the getent command, see the UNIX man page for getent. To confirm a UNIX computer s Active Directory account on a Windows computer 1. On a Windows computer on which you ran the Centrify DirectControl Setup Wizard, open the Centrify DirectControl Administrator Console. 2. In the Zones tree under the default Zone, select Computers. The computer name for the UNIX computer that you joined to the domain earlier now appears in the list of computers. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 38

44 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Double-click the computer name, and then select the Centrify Profile tab to see a screen similar to the following: Logging On to a UNIX Computer with an Active Directory User Account The final step in validating the solution is to log on to a UNIX computer as an Active Directory user. 1. On a UNIX computer, bring up a login prompt or a graphical log on screen. 2. Log on with the testuser account and the Active Directory password that you defined earlier for testuser. 3. Confirm that the system grants access to the user, creates a home directory, and starts a shell session. The following output shows a typical sequence: centrifyrh9 login: testuser Password: <password> Creating home directory... [testuser@centrifyrh9 testuser]$ CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 39

45 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 40 Successful completion of these Quick Validation Tests confirms that the DirectControl software is installed and configured correctly. Major Milestone: Solution Development Complete This completes the Solution Development phase to reach the End State by implementing Centrify DirectControl. Users on configured UNIX computers can now use Active Directory to authenticate through Kerberos and can access UNIX authorization and identity information in Active Directory through LDAP. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 40

46 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 41 Testing and Stabilizing the Centrify DirectControl Solution This section describes how to test and stabilize the Centrify DirectControl based solution in order to prepare for deploying it in your production environment. Introduction and Goals The purpose of the Stabilizing Phase is to improve the solution quality to a level that meets your acceptance criteria for release to production. Stabilizing Phase testing emphasizes usage and operation under realistic environmental conditions. In this phase, you prioritize the bugs that testing discovers, fix all high-priority bugs, and prepare the solution for release. When you decide that a build is stable enough to be a release candidate and after you complete preproduction testing, you deploy the solution to one or more pilot groups in the production environment. Major Tasks and Deliverables The two major Stabilizing Phase tasks that are relevant to Windows security and directory services projects are: Testing the solution Conducting a pilot Testing the DirectControl Solution This section describes how to test the DirectControl environment to ensure that key capabilities are enabled and functioning correctly, but it is not meant to be an exhaustive test guide to stress every feature of the DirectControl solution. For additional information about testing the DirectControl product, including testing for scenarios beyond the scope of this guide, see the documentation that comes with DirectControl and additional documentation available on the Centrify Web site at In particular, the Troubleshooting authentication and authorization section of the Centrify DirectControl Administrator s Guide can help if you encounter problems or issues or if you require a higher level of debugging or diagnostics. Testing Joining a UNIX Computer to Active Directory Use the steps described earlier in the section Confirm UNIX Computer Membership in Active Directory under Perform Quick Validation Tests to test whether a UNIX computer is joined successfully to the Active Directory domain. A successful test shows that a UNIX computer appears as a domain member in both Active Directory Users and Computers and in the Centrify DirectControl Administrator Console on Windows. On the UNIX computer itself, you can use the adinfo and getent utilities to determine the status of the join. Testing Active Directory Authentication After the UNIX computer is joined to the Active Directory domain, you can test the use of an Active Directory user account to authenticate to the UNIX computer. Note Immediately after joining a UNIX computer to the Active Directory domain, to use the GDM graphical login interface to authenticate a user logging on with an Active CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 41

47 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 42 Directory user account, you must first either restart the gdm daemon or restart the computer. To verify the authentication of an Active Directory user logging on to a UNIX computer 1. Start (or restart) the UNIX computer. 2. When prompted for the User name, type the Active Directory user logon name for the test user. For this test, type testuser, and then press ENTER. Note With DirectControl, users can log on with either their Active Directory User logon name or their UNIX Login name as defined in their Centrify profile properties. For example, if the user Jeff Hay has an Active Directory logon name defined as Jeff.Hay and a Centrify UNIX login defined as jhay, either name can be used at the UNIX login prompt to authenticate the user. In both cases, the password required is always the user s Active Directory password. If these logon names are different, it is a good practice to test logging on with each name. 3. When prompted for the Password, type the Active Directory password for testuser. When DirectControl connects to Active Directory to authenticate the account information, you are logged on to the UNIX computer in the default home directory for the user testuser). Note If you created the user account and checked the box to force a password change at the next logon, a message is displayed prompting you to provide a new Active Directory password for this account. After you update the password, the logon process continues. 4. At a UNIX shell prompt, check the UNIX user identifier (UID) and group identifier (GID) assignments for the account. For example, type the following command to display the UID and GID of the currently logged on user: id Alternatively, type the following command to display the current user s home directory with the correct ownership and group names: ls -al 5. Type exit to log off of the current session. Testing Workstation Authorization Policies With Centrify DirectControl, you can enforce Active Directory account policies for UNIX users and computers. For example, you can use Active Directory to specify which workstations users are allowed to log on to and the hours during which they are allowed to log on to those computers. To prevent access to the UNIX computer for testuser 1. On a Windows computer on which you ran the Centrify DirectControl Setup Wizard, open Active Directory Users and Computers. 2. Right-click testuser, and then click Properties. 3. Click the Account tab, and then click Log On To. 4. Click The following computers, type the computer name of the Windows computer that you are currently logged on to, click Add, and then click OK. This restricts the testuser account so that it can log on only to this Windows computer. 5. On a UNIX computer, log on as testuser. The following message appears: Your account is configured to prevent you from using this computer. Please try another computer. 6. On the Windows computer, open the Properties page for the testuser in Active Directory Users and Computers. 7. Click the Account tab, and then click Log On To. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 42

48 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL Click All computers, and then click OK. This removes the logon restriction so that you can continue to use the testuser account for the remainder of the test period. Testing Account Lockout Policies You can use Centrify DirectControl to enforce account lockout policies if you configure a lockout policy within Active Directory and use a Group Policy object (GPO) to apply the policy. Configuring a lockout policy If you do not already have an account lockout policy in place, you need to configure one to verify that the policy is correctly applied to the UNIX computer. To configure an account lockout policy for this test 9. On a Windows domain controller or server on which you ran the Centrify DirectControl Setup Wizard, open the Group Policy Object Editor to edit the Default Domain Policy object. For example: a. Click Start, click Run, type mmc, and then click OK. b. In the MMC console, click File, and then click Add/Remove Snap-in. c. Click Add, select Group Policy Object Editor, and then click Add. d. On the Welcome to the Group Policy Wizard page, click Browse. select Default Domain Policy, and then click OK. e. Click Finish, click Close, and then click OK. 10. In the console tree, click the + symbol to expand Default Domain Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Account Policies, and then click Account Lockout Policy. 11. In the details pane, right-click Account logout duration policy, and then click Properties. 12. Select Define this policy setting to enable the setting with the default configuration of 30 minutes. Click OK to accept the settings suggested, and then click OK to accept that enabling Define this policy setting automatically changes the configuration settings for the Account logout threshold and Reset account lockout counter after policies. If you accept the default settings, the account lockout policy is now configured to lock out an account after five invalid logon attempts, to keep the account locked for 30 minutes, and then to restore the lockout counter after 30 minutes. Testing the lockout policy After a lockout policy is defined, you need to test it on a UNIX computer with an Active Directory account to confirm that it works. To test the account lockout policy on a UNIX computer 1. On a UNIX computer, attempt to log on with the testuser user name and an incorrect password. Repeat five consecutive times to lock the account. 2. On a Windows computer on which you ran the Centrify DirectControl Setup Wizard, open Active Directory Users and Computers. 3. Right-click testuser, and then click Properties. 4. Click the Account tab and confirm that the Account is locked out option is selected (that is, confirm that the account is locked out). 5. Clear the Account is locked out option to remove the lock, and then click OK. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 43

49 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 44 Testing Password Management Policies With Centrify DirectControl, you can enforce your Active Directory password policies for UNIX users and computers. For example, you can use Active Directory settings to require users to change their passwords the next time they log on, to use passwords of a certain length or complexity, or to specify a new password after a certain number of days. If you configure any or all of these policies by setting them in Active Directory, DirectControl enforces the policies when users log on to UNIX computers. To require a password change for testuser 6. On a Windows computer on which you ran the Centrify DirectControl Setup Wizard, open Active Directory Users and Computers. 7. Right-click testuser, and then select Reset Password. 8. Type a new password, and then re-type it to confirm it. 9. Select User must change password at next logon, and then click OK. 10. On a UNIX computer, log on as testuser with the new password, and then respond to the prompts to create a new password. Testing Offline Authentication Offline authentication is very important because it enables users to log on and use computers that are disconnected from the network or that have only periodic access to the Active Directory domain. For example, users who have laptop computers must be able to log on and be successfully authenticated when they are not connected to the network. To handle these offline situations, DirectControl securely caches user account information locally. After a user successfully logs on to a UNIX computer, the computer can use the cached credential information to authenticate the user at a later time if Active Directory is not available. To verify offline authentication 1. On a UNIX computer, log on as the root user. 2. Type the following command pinging the domain controller to verify network connectivity: ping Test_domain_controller 3. Type the following command to simulate disconnecting from the network by disabling the Ethernet network interface: ifdown eth0 4. Type the following command pinging the domain controller to verify that the local UNIX computer is no longer communicating with the network. ping Test_domain_controller 5. Log off the root account 6. Log on as testuser and enter the Active Directory password for the account. Because you have logged on successfully with the testuser account in earlier procedures in this guide, you can log on with this account now with the previously cached credentials. If you try to log on with an Active Directory account that has not previously logged on successfully, the log on fails because there are no credentials in the cache. 7. Log off and log back on as root. 8. Type the following command to re-enable the network interface: ifup eth0 CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 44

50 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 45 Testing Additional Administrative Tasks You might want to try several other typical administrative tasks that are not demonstrated in this guide. For example, you might want to test that the following tasks function as expected: Disabling a user s account in Active Directory Users and Computers to prevent the user from accessing any computer or application managed by DirectControl. Setting the specific hours when a user is allowed to log on or specific hours when a user is denied access to a UNIX computer. Changing the password for an Active Directory account on a UNIX computer by using the passwd or adpasswd command. Authenticating users from other trusted Active Directory domains by specifying their full domain user name. For example, if a UNIX computer is joined to the domain seattle.contoso.com and jeffhay belongs to the paris.contoso.com domain, log on to the UNIX computer by using [email protected]. Conducting a Pilot After you test the Centrify DirectControl solution in a test environment, the next step is to conduct a pilot deployment or "proof of concept" by deploying the solution to one or more groups of typical users in your production environment. You can find complete instructions about how to conduct a pilot of the DirectControl solution in the Centrify documentation that comes with the product those detailed instructions are not repeated here. This section provides a high-level outline of the steps required to successfully perform a pilot deployment. You can install DirectControl on both UNIX and Windows computers without negatively impacting any user action for computers running either operating system. On the UNIX computers, the DirectControl components are inactive until you join the computer to the domain by using the adjoin command. On the Windows computer, you can set up the default and other Zones without any impact to the existing Active Directory or Windows environment. This lets you install the software to be used for the pilot at any time that is convenient. To perform a pilot deployment 1. Identify a set of users who will participate in the pilot, and conduct informational and training sessions to ensure that they know what to expect. 2. Identify which computers you want to include in the pilot, and back up all system and data information. 3. Install the DirectControl software on a Windows computer in the pilot domain and on all UNIX or Linux computers involved in the pilot: On a Windows computer joined to the domain, insert the Centrify DirectControl CD, and then run Setup.exe to install the Centrify DirectControl Management Tools. For more information, see Installing Centrify DirectControl on Windows earlier in this guide. On each UNIX computer, insert the Centrify DirectControl CD, and then type./install.sh to install the Centrify DirectControl Agent. For more information, see Installing the CentrifyDirectControl Agent on UNIX or Linux earlier in this guide. 4. Choose an established user account store from an existing UNIX computer to conduct the pilot. For example, use a local /etc/passwd user account database. 5. Use the Import from UNIX tool in the Centrify DirectControl Administrator Console to import the user accounts stored in the /etc/passwd file into Active Directory. DirectControl places the imported user information in a pending import area until the UNIX account names can be matched up with an Active Directory account name. That is, at this point, the UNIX user account information is imported into a temporary area before being committed to storage in Active Directory. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 45

51 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 46 For information about importing existing UNIX user accounts into Active Directory, see the section Importing Existing UNIX Accounts into Active Directory later in this guide or refer to the DirectControl Administrator s Guide. 6. Create a new account for UNIX users in the pilot group who do not have an Active Directory account and enable them as UNIX users, as described earlier in the sections Creating Test Users and Groups and Enabling Active Directory Groups and Users for UNIX. You must also set a password for each new user. At this point, UNIX computers included in the pilot cannot yet use Active Directory authentication but can only use the old method of validating users using the local /etc/passwd store. 7. Before switching over the UNIX computers to use Active Directory authentication, prepare the pilot users: Inform users when the switch to Active Directory authentication will occur. Inform users what their Active Directory passwords are and that, after the deployment occurs, they must use only these passwords for logging on to their UNIX workstations. For users new to Active Directory, provide any needed information or training. Because the users' account information has been migrated from their existing directory to Active Directory, they will log on using their existing UNIX logon name. They still must use their Active Directory password because their existing UNIX password will no long be active after the solution is deployed. 8. At the time scheduled for the switch to Active Directory, log on as root to one UNIX computer and use the adjoin command to join it to the Active Directory domain. For more information, see Joining the Active Directory Domain earlier in this guide. 9. After you successfully run the adjoin command on one UNIX computer, test that the UNIX computer is correctly joined to the domain. For more information, see Performing Quick Validation Checks earlier in this guide. 10. Ask a user participating in the pilot deployment to log on to this UNIX computer with Active Directory credentials (logon name and password). 11. After you successfully complete these tests on the first UNIX computer, log on as root to each of the remaining UNIX computers in the pilot and run the adjoin command. It is important to perform this step in your pilot deployment to ensure that you can successfully join multiple computers to Active Directory when you are ready to deploy the DirectControl solution in your production environment. 12. Test that each UNIX computer is correctly joined to the domain. For more information, see Performing Quick Validation Checks earlier in this guide. 13. Ask users participating in the pilot deployment to log on to their UNIX computers with their Active Directory credentials (logon name and password). Because the user information from the UNIX /etc/passwd file now populates their UNIX attributes in Active Directory, members of the pilot group see no change in their UNIX user experience. Their selected shell program, home directory, and UID and GID are the same as before. The only change for users is they now need to use their Active Directory password to log on to their UNIX computers. 14. Interview or send a questionnaire to the pilot users to determine whether the change to Active Directory authentication and authorization caused any problems or issues for the users. 15. Update your pilot plan and your deployment plan (part of the master project plan) based on your experience in deploying the pilot and on the feedback you receive from users who participate in the pilot. 16. Resolve any issues or bugs that the pilot users report before deploying the solution throughout your production environment. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 46

52 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 47 Major Milestone: Testing and Stabilization Complete This completes the Testing and Stabilization phase to reach the End State by implementing Centrify DirectControl. You have tested the solution and successfully completed a pilot deployment. Your team is now ready to begin the process of deploying the solution in a production environment. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 47

53 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 48 Deploying the Centrify DirectControl Solution After you complete the testing and stabilization phase, you are ready to place all computer, user, and group accounts into Active Directory throughout your production environment. After you complete the deployment phase, you can use Active Directory to manage all authentication, authorization, and directory services. Introduction and Goals This section provides an overview of deployment-related tasks for the Centrify DirectControl solution and is not intended to be a comprehensive deployment guide. For complete information about deploying the Centrify solution, see the Centrify DirectControl Administrator s Guide. Major Tasks and Deliverables In this phase, you perform the following major tasks: Complete deployment preparations Deploy the solution Stabilize the deployment Completing Deployment Preparations You can install DirectControl software components at any time on both UNIX and Windows platforms without extensive preparations because no changes are made that impact the user or administrator experience on those computers. However, before you begin the deployment, you should review the following sections and follow the guidelines provided in each section if it applies to your organization: Importing existing UNIX accounts into Active Directory Using Zones to manage role-based access control mapping Using Group Policy with DirectControl to manage GPOs Applying security controls Choosing the phased deployment option In addition, all organizations should complete the following task as part of the deployment process: Preparing support staff and users Importing Existing UNIX Accounts into Active Directory Typically, you have existing UNIX account information that you need to map to Active Directory users and groups. You can do this by importing the UNIX account information into Active Directory and specifying how those existing accounts map to Active Directory users and groups. If you have existing UNIX user and group information, you can use the Centrify DirectControl Administrator Console to selectively import this information into Active Directory. Importing from Existing Identity Stores Centrify provides complete documentation of the steps required to import existing UNIX identity stores into Active Directory in the guide Importing information from NIS maps or UNIX files in the Centrify DirectControl Administrator s Guide. This subsection provides an overview of the importation process. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 48

54 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 49 Before you import existing UNIX account information into Active Directory, determine how you want imported information to fit into your existing Active Directory structure, how you want to organize the imported information into Centrify DirectControl Zones and groups, and how you plan to handle any account conflicts. You must also ascertain where existing UNIX account information is stored in your UNIX environment. The three most common repositories for storing UNIX account information are the following: A Network Information Services (NIS) server, and the databases or maps that store users, groups, and other network-related information for NIS domains A central LDAP server that stores user and group account information for a network of UNIX computers. Local UNIX configuration files, such as /etc/passwd, that store local user and group accounts. Depending on your environment, you might need to import information from any of these sources. Therefore, the first step to take in planning to import existing information is to determine whether the information is stored in NIS, NIS+ (an enhanced version of NIS), LDAP or local UNIX files. To prepare existing UNIX directory information for import into Active Directory For UNIX directory-based systems such as NIS or LDAP, you can use the UNIX utility getent to export UNIX user and group information to a file. For example, to create a file with user account information, run the following command on the UNIX computer before you join the computer to the Active Directory domain: getent passwd > /tmp/passwd To create a file with group account information run the following command: getent group > /tmp/group These two files, /tmp/passwd and /tmp/group, are used to import the existing UNIX directory information into Active Directory. For /etc/passwd based UNIX systems, you can use the /etc/passwd and /etc/group files directly for importing the information into Active Directory. You must also verify that you can access the UNIX information from the Windows computer where the Centrify DirectControl Administrator Console is installed. In order to import information from the group and passwd files, these files must be accessible on the Windows network. To make UNIX information accessible from a Windows computer Use any of the following methods to make the information from the group and passwd UNIX files accessible from the Windows computer: Use FTP or SFTP to transfer the files from the UNIX computer to the Windows computer. Copy the files to a network share that is configured to allow a Windows user to access the files on a UNIX computer. Copy the files to a network share that is configured to allow a UNIX user to transfer UNIX files to a Windows computer network share. Transfer in the files using physical media such as a floppy disk, a USB drive, or a writeable CD-ROM. Now that the UNIX directory information is accessible on the Windows computer, you must import the directory information into Active Directory. To import UNIX directory information into Active Directory Use the Import from UNIX tool in the Centrify DirectControl Administrator Console to import the user and group accounts stored in the passwd and group files into Active Directory. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 49

55 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 50 After you successfully complete the importation steps, the UNIX user account information is stored in Active Directory and linked to the appropriate Active Directory user accounts. Resolving Multiple Identities with DirectControl Zones One of the unique features of the DirectControl solution is the ability to import multiple legacy UNIX account stores into DirectControl Zones and thereby map a single Active Directory user account to multiple UNIX IDs. While it might seem desirable to use a single user name for both UNIX and Windows, accommodating existing directories and systems might make this impossible at least initially. The following simple example helps illustrate this problem. The current environment might have a NIS directory service in which the naming convention is firstname.lastname for users (for example, jeff.hay) and UIDs are in the range 10,000 to 99,999. The example organization also includes a collection of UNIX computers that have no centralized directory but instead store user account information locally with a different set of policies user names are first-initial plus lastname (for example, jhay) and UIDs start at 500. If you consolidate the two UNIX identities into a single identity, the consolidation can cause substantial disruption for some users because: They must use new logon names on some computers. They must reset file ownerships In some cases (for example, mail files based on user name), they must change file names. If your organization has thousands of users, this task is enormous. You can avoid this type of problem by using Centrify Zones. In this approach, you can import each legacy directory store into separate Zones in Active Directory. In the example described in the preceding paragraph, you can use the following procedure. To use DirectControl Zones to resolve multiple identities 1. Import the NIS directory store into a Zone called nis-zone. 2. Import the /etc/passwd information from the non-nis UNIX computers into a Zone called passwd-zone. 3. Map each user listed in each Zone to Active Directory accounts in a many-to-one relationship. That is, you can map many UNIX accounts to a single Active Directory account. The end result is, for example, an Active Directory user account called Jeff Hay that is linked to two UNIX accounts one with the user name jeff.hay with a UID of and another with a user name jhay with a UID of 527. After you map these accounts, users can log on to their UNIX computers with their previous logon name and their Active Directory password with no disruption. There is no need to change ownerships or file names. For detailed information about how to use Centrify s Zone approach to migrate UNIX user accounts to Active Directory, see the white paper Centrify's Solution for Migrating UNIX Directories to Active Directory: Leveraging Centrify s DirectControl and Zone Technology to Simplify Migration. This white paper is available from Centrify. Using Zones to Manage Role-based Access Control Mapping Even if your organization eventually decides to consolidate user names and UIDs, Centrify Zones can still play a role as a method for managing role-based access control (RBAC) for your UNIX or Linux computers. RBAC refers to a technique of managing users based on their roles within an organization and establishing policies for members who share the same role. For example, all auditors in your finance department might belong to the group role described as financial auditors and only those employees should have read-write access to consolidated financial reports. If those reports are stored on three regional UNIX computers, you also might want to restrict access to those computers to the people who are financial auditors. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 50

56 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 51 Restricting Access by Using Zones for RBAC You can use a Centrify DirectControl Zone to restrict access to UNIX computers containing financial data to employees in the financial auditor role. To use Zones to restrict access 1. Using the Centrify Administrator Console on a Windows computer joined to the domain, place the UNIX computers to which you want to restrict access into their own Zone called, for example, the audit-systems Zone. 2. Grant only auditors log on access to these computers by adding them as members of the Zone using the Centrify Administrator Console. Restricting Access by Using Active Directory for RBAC Alternatively, you can use an Active Directory group to restrict access to UNIX computers containing financial data to employees in the financial auditor role. Your organization might already use Active Directory groups to manage some form of role-based access control for Windows computers. For example, all auditors in the finance department might be members of the finaudit Active Directory group. With DirectControl, you can now restrict access to the UNIX computers by group. DirectControl includes a file, /etc/centrifydc/centrifydc.conf, that controls the settings for numerous parameters related to how DirectControl operates. One of these parameters is the pam.allow.groups setting. To use Active Directory to restrict access 1. On each UNIX computer that contains financial data, open the /etc/centrifydc/centrifydc.conf file. 2. Specify the following setting: pam.allow.groups: finaudit This setting restricts access to the UNIX computer to people who are members of the finaudit Active Directory group. Allowing Access to Active Directory Enabled UNIX Applications DirectControl lets you use Active Directory properties to enable access to certain UNIX applications. You can use this feature to explicitly define which applications are Active Directory enabled on each UNIX computer. Active Directory enabled applications use Active Directory authentication, authorization and other services to control access to certain features within the application. For example, if you have a Web-based application running on a Tomcat server, you can enable Active Directory authentication for that server and then apply restrictions to certain pages based on Active Directory credentials. For example, you can use Active Directory group membership to restrict access to a page that contains financial information to members of the finaudit Active Directory group. When a user tries to access the page, Tomcat checks whether the user is a member of the finaudit group. A user who is a member is granted access to the page without being prompted to re-enter Active Directory credentials. A user who is not a member is denied access to the page. Using Group Policy with DirectControl to Manage GPOs An important feature of DirectControl lets you create Microsoft group policy objects (GPO) for UNIX computers. Group Policy is particularly effective in regulating policy or applying settings across a large number of computers. Continuing the earlier example, you can use the following procedure to manage GPOs. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 51

57 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 52 To use DirectControl to manage GPOs 1. On a Windows computer with Active Directory Users and Computers and the DirectControl Administrator Console installed, open Active Directory Users and Computers. 2. In the left pane, select the domain that you use for the deployment. 3. Right click the domain name, select New, and then click Organizational Unit. 4. In the Name dialog box, give the new OU a unique name, such as Finance Computers. 5. Move each of the UNIX computers that contain financial information used by auditors into this new Active Directory OU: a. Right-click the UNIX computer in its current OU. b. Select Move c. Select the name of the new OU, and then click OK. 6. Configure a GPO for this OU to enforce setting the pam.allow.groups attribute with the value finaudit. This setting restricts access to all UNIX computers in this OU only to members of the finaudit Active Directory group. For more information, see "Creating a Centrify DirectControl Group Policy Object" in the Centrify DirectControl Administrator s Guide. 7. Apply this policy to the OU. This policy now governs all UNIX computers in this OU. At the same time, you can also configure other policies to implement role-based access control, for example, for other groups of computers. For detailed information about how to use Group Policy with DirectControl, see the Centrify DirectControl Administrator s Guide. Applying Security Controls You can use role-based access control for administrators and operators as well as for end-users. Most organizations restrict access to the Administrator account for security reasons. For that reason, Centrify has added the capability to delegate administration of Zones to non-privileged users. In addition, most organizations restrict access to the root password on critical UNIX computers. Ideally, you should manage control over root accounts centrally and apply policies for password complexity, password aging, and other security-oriented policies to the root account on each UNIX computer or groups of computers. Assigning management privileges for each Zone You can use the Centrify DirectControl Administrator Console to give specific users and groups permission to perform certain types of administrative tasks within each Zone. For example, assume that you have a Zone called Finance and you want to set up different types of permissions for the different kinds of administrators who manage computers in this Zone. Through the Centrify DirectControl Administrator Console, you can assign specific permissions to individual users and groups. For example, you can assign: The group ITStaff full control, which allows members of that group to perform all administrative tasks. The group FinanceManagers permission to read and modify Zone information and Zone membership. The group FinanceUsers permission to read Zone information but perform no other tasks. The users jeff.hay and lori.penor permission to delete Zones. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 52

58 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 53 To delegate which users and groups have control over the objects in a Zone 1. On the Windows computer, open the Centrify DirectControl Administrator Console. 2. In the console tree, select Zones, and then select the Zone you want. For example, open the default Zone. 3. Right-click the default Zone that you selected, and then click Delegate Zone Control. 4. At the Welcome page, click Next. 5. Click Add, and then use Find, with search criteria if necessary, to locate the user or group to which you want to delegate control. 6. Click OK. After you finish adding users and groups, click Next. 7. From the list, select the tasks you want to delegate to the user or group. For example, if you want members of the selected group to be able to modify Zone information, select the Modify Zone Information task. 8. Review your selections, and then click Finish. Mapping Privileged Local UNIX Accounts to Active Directory Accounts As mentioned earlier in the section, Optionally mapping root and privileged UNIX accounts to Active Directory Accounts, DirectControl includes support for mapping any local UNIX account to an Active Directory account. Before you deploy DirectControl, establish a policy for how your organization wants to handle certain local UNIX accounts, such as the root account. In some cases, consider the use of Group Policy as a method for applying a consistent policy of local account mapping across a large number of computers. For more information about how to map user accounts either individually or by using Group Policy see the Centrify DirectControl Administrator s Guide. Choosing a Phased Deployment Option A good approach for reaching a fully deployed the End State is to roll out the deployment in phases. Performing a phased deployment is recommended in organizations with large numbers of UNIX computers or many different legacy directory systems. The DirectControl Zones feature is particularly useful in helping organizations to compartmentalize the project into manageable phases. If your organization has multiple legacy directory systems either central directories such as NIS or local directories that use /etc/passwd you might choose to use one Zone for each directory that you move into Active Directory, dividing the migration project into subprojects, based on the number of Zones. A good tactic is to start with a small Zone. For example, you can use the following high-level set of steps to perform a phased deployment. For detailed steps, see "Deploying the Solution" and "Stabilizing the Deployment" later in this guide. To deploy in phases one Zone at a time (synopsis) 1. Use the Centrify Administrator Console on a Windows computer to import a single /etc/passwd file into a single Zone that has a small number of UNIX computers as members. 2. Join the UNIX computers in that Zone to Active Directory. 3. Carefully monitor and resolve any issues that users or support staff experience. 4. After the first Zone is fully deployed and stabilized, update your deployment documentation with information learned from the first deployment, and then deploy the next largest Zone. 5. Continue deploying Zones one at a time until all legacy directory systems are successfully migrated to Active Directory. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 53

59 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 54 You can use this strategy to complete the deployment and stabilization of the migration to Active Directory with minimal risk, little disruption, and manageable resource utilization. For detailed information about how to use DirectControl to perform a phased migration of NIS or local directories to Active Directory, see the white paper Centrify's Solution for Migrating UNIX Directories to Active Directory: Leveraging Centrify s DirectControl and Zone Technology to Simplify Migration. This paper is available from Centrify. Preparing the IT Support Staff and Users Before you can deploy the DirectControl solution, you must prepare the UNIX user community and the IT support staff. Training IT Support Staff Provide the following training to your IT support staff. To train IT support staff, provide the following information Location of project plans. Ask support staff to read all relevant plans related to the DirectControl deployment project. Time scheduled for deployment. Make sure support staff are available at the time the deployment is scheduled to take place. Location of documentation. Make available all system and solution documentation so support staff can use them to help solve end-user issues that arise during the production deployment. Pilot project experience and feedback. Explain the result of the pilot project, including any issues encountered during the pilot and the resolution for each issue. How to manage the DirectControl solution. The best single resource for learning how to administer DirectControl is to read the Centrify DirectControl Administrator s Guide. This guide includes much more detail about administrative functions, including information about capabilities beyond the scope of this guide. How to administer Windows and Active Directory. If your support staff are familiar only with supporting UNIX computers, provide training about Windows and Active Directory concepts and administration. How to operate the DirectControl solution in your network and business environment. Create an operations handbook with details about implementing common operations scenarios in your environment, such as adding a new UNIX computer or user to Active Directory. How to report issues related to the DirectControl solution. If your organization uses a bug or problem-ticket system for tracking issues, set up a new subject area for this solution. Teach support staff members how to report DirectControl issues. Preparing End-Users You must prepare end-users computers and inform the UNIX user community about what to expect. If your organization has decided to consolidate UNIX identities, you must perform certain tasks to accommodate a user s new identity on the UNIX computer. For example, if your organization decides to consolidate and use only one Zone for all UNIX computers, each user will have only one UNIX user name and one UID. The following example procedure assumes that you have decided to use only one Zone. To prepare users UNIX computers before DirectControl is deployed: 1. Review and note the new UNIX settings for each user including the user s UID. You can do this by running a user report for the Zone in the Centrify Administrator Console on the Windows computer. For more information, see "Generating and viewing reports" under "Running reports" in the Centrify DirectControl Administrator s Guide. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 54

60 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL On each UNIX computer, set each user s files with the correct UID information. For example, if Jeff Hay is assigned a UNIX UID of and his UNIX username is jhay, execute the following steps on the UNIX computer that Jeff Hay uses: a. Log on to the UNIX computer as root. b. Change the directory to Jeff Hay s current home directory. c. Run the chown command to reset Jeff s files with a new UID. For example: find user jhay xargs chown To inform end-users, provide the following information 1. When the switch to Active Directory is scheduled to occur. 2. Which UNIX or Linux computers are included in the new deployment. 3. Which password each user needs to use after the deployment takes place. Explain to users that, after the DirectControl deployment is complete, they must use a single Active Directory password to access their UNIX workstations. They cannot use their current UNIX password after the deployment because it will no longer be active on the computer. Deploying the Solution This section provides checklists to use to confirm that your network infrastructure is ready for the deployment. It also describes how to join your UNIX computers to Active Directory to implement the transition to the use of Active Directory authentication and authorization for the UNIX computers. Deploying the Infrastructure With deployment preparations complete, you are ready to deploy the DirectControl infrastructure in your production environment. If your organization is large, perform a phased deployment, as described earlier in Preparing for a Phased Deployment. To deploy the Windows environment 1. Install the DirectControl Windows components on a Windows computer joined to the Active Directory domain. For specific steps, see "Installing Centrify DirectControl on Windows" under "Developing the Components of the Solution" earlier in this guide. 2. Configure at least one DirectControl Zone. For specific steps, see "Configuring Active Directory with the First DirectControl Zone" under "Developing the Components of the Solution" earlier in this guide. Use the Import from UNIX tool in the Centrify DirectControl Administrator Console to import user information from the existing UNIX directory systems or local /etc/passwd file into Active Directory. 3. Link the imported identities to the appropriate Active Directory users. 4. Import UNIX groups, if necessary, configuring them as Active Directory groups, and then mapping the groups to the appropriate users. 5. Add users to the appropriate Zones. For specific steps related to importing users and groups and linking them to Active Directory users and groups, see "Importing Information from NIS maps or UNIX files" in the Centrify DirectControl Administrator s Guide. To deploy the UNIX computers 1. Install the DirectControl UNIX or Linux components on each computer to be joined to the Active Directory domain. For specific steps, see: CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 55

61 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 56 "Installing the Centrify DirectControl Agent on UNIX or Linux" under "Developing the Components of the Solution" earlier in this guide. "Installing the Centrify DirectControl Agent on UNIX" and "Appendix C Installing an agent software package manually" in the Centrify DirectControl Administrators Guide. Appendix C includes separate installation instructions for several types of UNIX and Linux platforms including Red Hat Linux, Solaris, Debian, HP-UX, and AIX, as well as Mac OS X. 2. Synchronize the system clock on the UNIX or Linux computers with the system clock on the Active Directory domain controller. For more information, see Verifying Time Synchronization " under "Developing the Components of the Solution" earlier in this guide. At this point, although the software is fully installed and ready to be enabled, the computers are still functioning in their predeployment state and all user and computer operations are functioning normally. You can initiate the deployment to Active Directory at any time, based on the constraints or requirements of your organization. Joining UNIX Computers to Active Directory You are now ready to switch your UNIX or Linux computers to use Active Directory authentication, authorization, and directory services. You should do this at the scheduled time that IT support staff and users expect the deployment to occur. To join UNIX computers to Active Directory 1. Use the adjoin command on all UNIX computers all of them or a group at a time in a phased deployment that you want to join to the Active Directory domain. Use one of the following methods: In a smaller organization, run the adjoin command on each UNIX computer, using the following syntax: adjoin user UserName --password Password --zone ZoneName DomainName In a larger organization, use a script to run the adjoin command remotely on all UNIX computers that you want to include in the deployment. For more information about the adjoin command, see Joining the Active Directory Domain under Developing the Solution earlier in this guide. 2. Restart services on UNIX computers or reboot the computers. Typically, you must restart certain services on UNIX computers on which you installed the Centrify DirectControl Agent to ensure that those services reread the name switch configuration file. For example, if you typically log on to the UNIX computer through a graphical desktop manager such as GDM, you must either restart the gdm service or reboot the workstation to force the service to read the updated configuration before Active Directory users can log on. As an alternative to restarting individual services, you might want to reboot the UNIX computer to restart all services. Stabilizing the Deployment Verify that your UNIX computers are joined to the Active Directory system and confirm that the UNIX computers function correctly. To check that your deployment is stable 1. Verify successful join to Active Directory: Use the adinfo --diag command to ascertain the current configuration of each UNIX computer and to verify that it has joined the Active Directory domain. Look for output that says: CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 56

62 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 57 Joined as: ComputerName For more information about using the adinfo command, see "Confirm UNIX Computer Membership in Active Directory" under "Performing Quick Validation Tests" earlier in this guide. 2. Check log on process: Ask a user to log on to a computer. Monitor the log on process to make sure that the log on works and that the user does not experience any difficulty logging on. 3. Check log file: Review the contents of the /var/log/messages file (or similar file) on the UNIX computer. Check whether there are problems, or if a failure occurs. 4. If necessary, roll back: If the join fails or log ons do not function correctly, you can run the leave Active Directory (adleave) command to restore the UNIX computer to its previous state. You can find information about the adleave command in the UNIX man page for adleave(1). Resolve any issues, and then retry the adjoin command. 5. Perform additional tests described earlier in this guide: Refer to the testing guidelines in "Performing Quick Validation Tests" in the section "Developing the Solution" and to the guidelines in "Testing the DirectControl Solution" in the section "Testing and Stabilizing Authentication and Authorization" earlier in this guide to perform the following tests. Use the tests that are appropriate for your deployment. Confirming Configuration of Users and Groups Testing Workstation Authorization Policies Testing Account Lockout Policies Testing Password Management Policies Testing Offline Authentication Testing Additional Administrative Tasks After the UNIX computers are stable, monitor them closely for the first few days. When you are satisfied that Active Directory authentication and authorization are functioning as expected, you can use DirectControl to enable Active Directory authentication for additional services, such as Web applications. Refer to the Centrify documentation for information about extending DirectControl to other services. Major Milestone: Deployment Complete Your deployment of the Centrify DirectControl solution to reach a stable the End State is complete. At this point, the following capabilities are enabled: Users can use their Active Directory credentials to log on to Windows, UNIX, or Linux computers. The same user name and password can be used for all three types of computers. User information previously stored in one or more UNIX directory systems is now imported into Active Directory and is now linked to a valid Active Directory account for each user. If you chose to import the user information previously stored in one or more UNIX directories into DirectControl Zones, users can also log on to the UNIX and Linux computers with their previous UNIX user name and their Active Directory password. Authentication for a user session is provided by Active Directory and Kerberos. Standard Kerberos is fully functional on the UNIX computers. Kerberized UNIX applications can now use Kerberos tickets from Active Directory and can support a single sign-on experience without requiring the user to re-enter a user name and password. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 57

63 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 58 Authorization data and directory information for users, groups, and computers is stored centrally in Active Directory and is accessible from UNIX computers and UNIX applications. Administration of user authentication and authorization is now centralized in the Active Directory system through standard Windows-based mechanisms. No separate maintenance is required on the UNIX computers to maintain authentication and authorization data. Systems previously used for authentication and authorization data storage in the UNIX environment can now be retired. The project is now ready to be handed off from the project team to the operations and support staff. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 58

64 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 59 Operating the Centrify DirectControl Solution This section addresses operation of the Windows security and directory services solution after deployment is completed. Completing the move to a consolidated authentication, authorization, and policy solution based on Active Directory and Centrify DirectControl results in a number of operational benefits. Operational costs are reduced because standard administrative tasks now require less time, security is easier to monitor and maintain through the robust security and policy features of Active Directory, and end user productivity and satisfaction with operations increases as tasks such as resetting forgotten passwords are greatly reduced. Introduction and Goals The DirectControl-specific operations information provided here is an overview and is not intended to be a complete, comprehensive operations guide. For complete information about operating the Centrify DirectControl solution, see the Centrify DirectControl Administrator s Guide. Intended Audience The audience for this section is primarily the support staff and members of the operations organization. However, all team leads should review the material in this section. Knowledge Prerequisites Ensure that your team possesses the knowledge requirements stated earlier in the guide. Train operations staff who are new to Windows and Active Directory in the information and tasks presented here before beginning to operate this solution. Operations staff should thoroughly review this guide and review the documentation that comes with Centrify s DirectControl product, including: Centrify DirectControl Administrator s Guide Centrify DirectControl Evaluation Guide Centrify s technical white paper: Centrify's Solution for Migrating UNIX Directories to Active Directory: Leveraging Centrify s DirectControl and Zone Technology to Simplify Migration, which is available from Centrify. Major Tasks and Deliverables In this phase, you perform the following major tasks: Manage system administration Administer directory services Administer DirectControl Zones Administer security Simplify service desk operations Assess capacity Reporting and auditing Managing System Administration One of the major benefits of centralizing authentication and authorization services for UNIX computers in Active Directory is that you can now manage system administration for identity management from a single console. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 59

65 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 60 For example, if a new user joins your organization, you set up the user account in one place Active Directory. The first step is to add the user to Active Directory in the standard way using the Active Directory Users and Computers tool. However, you must perform a few additional steps to enable the user as a UNIX user as described in the following example procedure. To enable an Active Directory user as a UNIX user 1. Open Active Directory Users and Computers. 2. Right-click the user name, and then click Properties. 3. Click the Centrify Profile tab. By default, a new user is not added to any UNIX Zone. 4. Click Add, and then click Find Now to look up the available Zones. 5. Select the appropriate Zone, and then click OK. 6. Confirm that the user is assigned an appropriate UID, Login name, Shell, Home Directory, and Primary Group, and then select the checkbox Enable user access to this Zone. 7. Click OK or Apply. You do not need to perform any steps on the UNIX computer. The DirectControl agent software on the UNIX computer automatically performs tasks such as automatically creating a home directory for the user. You use Active Directory Users and Computers and the Centrify DirectControl Administrator Console for most administrative tasks. These administrative tasks, which are similar to the example above, are documented in the Centrify DirectControl Administrator s Guide. These tasks include: Enabling and managing Active Directory groups for use on UNIX computers. Managing Zones. Importing information from NIS maps or UNIX. Using the DirectControl Information Service for NIS. Running reports. In addition, you can use Active Directory Users and Computers and the Group Policy Management Console to manage group policies for UNIX users and computers. IMPORTANT Actions performed on user accounts will now impact that user on both Windows and UNIX. For example, if you want to temporarily lock out the user from logging on to any computer that is joined to Active Directory, do this as usual by selecting Account is disabled on the account properties page for the user in Active Directory Users and Computers. After you configure this setting, the user cannot log on to any Windows or UNIX computer in the domain. Administering Directory Services Best practices for directory services administration are documented in other Microsoft operations guides, including the following: Active Directory Operations Topics at px Active Directory Operations Guide at 9c6e4dd a8e2-5c60c5e19bb0.mspx. For example, one recommended practice is to use OUs to help compartmentalize users, groups, and computers into logical containers. Each container might have its own GPOs for assisting with the configuration and policy for the members of the unit. In addition, the deployment of the DirectControl solution opens new possibilities for management strategies related to directory services administration, especially as related to the use of Zones, described next. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 60

66 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 61 Administering DirectControl Zones As mentioned earlier, you can use DirectControl Zones to compartmentalize groups of users or computers into logical units. For example: Group users based on a legacy directory service for example, place all previous members of the NIS domain HRdomain into a Zone called HRzone. Group users based on roles for example, place all finance users and computers into a Zone called finance. Group together a logically related set of users and computers for example, place all UNIX users and computers in Europe into a Zone called Europe. Zones can be a powerful new addition to your operational toolset. Eventually, however, you might want to reduce the number of Zones into a system that is more aligned with current day-to-day use rather than using an organizational method that is based on accommodating legacy systems. For example, you might initially want to set up Zones oriented around accommodating numerous UNIX directory systems that were imported into Active Directory (for example, one Zone for NIS directory A, one Zone for NIS directory B, and one Zone for OpenLDAP directory C). However, after those directory systems are no longer relevant to your organization, you might choose to transition to new Zones that are based on current organizational characteristics, for example, by function or by region. Because a user can be a member of multiple Zones, you can add users to a newly defined Zone (even a Zone with no computer members) at any time. Gradually, you can move the UNIX computers from membership in a legacy directory Zone into a Zone set up around current organizational characteristics. However, in order to do this successfully, you must carefully check the impact of the user s UNIX attributes in the new Zone to make sure that settings such as UID settings are not in conflict with what the operating system and applications are expecting in the Zone. You can find additional information about managing Zones in the Managing Zones section of the Centrify DirectControl Administrator s Guide. You can find additional information about Zone migration strategies in the white paper Centrify's Solution for Migrating UNIX Directories to Active Directory: Leveraging Centrify s DirectControl and Zone Technology to Simplify Migration. Because Zones are transparent to the UNIX user, it might make sense for you to use Zones as a way of compartmentalizing administration as opposed to using Zones for organizational groups. For example, you might want to put all Red Hat Linux computers in one Zone and all Solaris computers in a different Zone because different operators might be administering these two groups of computers. In addition, with the new capability provided by DirectControl Group Policy, some policies might be applicable to one Zone (for example, enforced SELinux settings in a Red Hat Enterprise Linux 4 Zone) but not applicable to another Zone. Administering Security Security administration is crucial for any organization. Establish controls to ensure that operators are granted rights for administering the computers and attributes that are required as part of their job but are locked out from accessing or changing computer settings outside their areas of responsibility. Active Directory fully supports delegated administration and the compartmentalization of systems and users within an organization. You can set up these divisions as separate OUs or as separate domains within the Active Directory forest, and then specify permissions for different types of tasks within each group. The DirectControl solution expands the delegation concept by letting you assign the administration of each UNIX Zone to the appropriate operators and administrators on a Zone-by-Zone basis. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 61

67 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 62 Delegation of Zone Administration You can use the Centrify DirectControl Administrator Console to grant particular users and groups permission to perform specific types of administrative tasks within each Zone. The section Assigning management privileges for each Zone earlier in this guide provides an example of using delegated Zone administration to restrict administrators' access to only the functions and computers that are applicable to their job. For more information about delegated administration capabilities and guidelines for using the DirectControl delegated administration features, see the Centrify DirectControl Administrator s Guide that comes with the DirectControl product. Security Policy Administration The deployment of the End State with DirectControl lets you use Active Directory to authenticate UNIX clients with Kerberos and to access UNIX authorization and identify information with LDAP. This means that the operations group has several new controls available for security and policy administration. Active Directory includes numerous capabilities for enforcing password policy, such as password length, password complexity, length of time a password can be used, and account lockout based on the number of log on failures. With DirectControl, all password policies applicable to Windows systems are now also applicable to UNIX computers and users. No additional administrative steps are required to enable this functionality. Because the UNIX system is a member of the Active Directory domain, the policies of the domain are automatically applied to all UNIX or Linux members. Another key feature of DirectControl is the ability to map privileged local UNIX accounts to Active Directory accounts. The UNIX root account has full access to all data and can manipulate all settings on a UNIX computer. Centrally controlling the root account and other special UNIX accounts makes it more difficult for an unauthorized user to obtain access to escalated privileges on the UNIX system. In addition, password policies that apply to standard Active Directory user accounts now also apply to privileged UNIX accounts thereby enforcing controls on these special accounts. Simplifying Service Desk Operations You can substantially simplify help desk and service desk operations now that a centralized Active Directory based system is in place for controlling identity management and access across your organization s Windows and UNIX systems. You can now perform centrally tasks such as adding a user to a new group or granting access to a new system for a user rather than doing it once for the Windows environment and one or more times for each UNIX or Linux environment. Another major benefit of implementing the End State is the ability to consolidate user passwords. According to the Gartner Group, which researches the IT industry worldwide, 30 percent of all help desk calls are requests for password resets (see Before the migration to the End State, your organization might have had dozens of directory systems and, as a result, users might have had accounts on many different systems each with its own password. With numerous logon names and passwords to remember, the likelihood of a user forgetting the credentials for a particular system is high. Now, with a single consolidated identity management system for Windows, UNIX and Linux, the user has only one user name to remember and only one password. Because this single password is the password that each user uses every day to log on to their primary computer, the likelihood that they will forget the password is greatly reduced. If a user attempts to log on to a UNIX computer that is configured to use DirectControl and the logon fails, you can take a number of steps to get to the root cause of the CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 62

68 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 63 problem. Typically, the problem is related to how the UNIX computer is joined to the Active Directory domain, local settings on the UNIX computer, or user settings in Active Directory. The following procedures show how to investigate each of these potential problem areas. To check the status of the UNIX computer s relationship with the Active Directory domain 1. Log on to the UNIX computer and make sure that there is network connectivity between the UNIX computer and an Active Directory domain controller. For example, use the ping command: ping DomainControllerName 2. Log on to the UNIX computer as root and run adinfo. The output from this command should be similar to the following: Local host name: redhat9-1 Joing to domain: contoso.local Joined as: redhat9-1 Preferred site: Default-First-Site-Name Zone: contoso.local/program Data/Centrify/Zones/default If the output displays an error, it is likely that the join was not done correctly. Perform an adleave and an adjoin again and repeat the adinfo step. If there is still a problem, there might be an issue with network connectivity or the names that were used when the UNIX computer joined the domain. For information about how to use adjoin, see "Understanding the adjoin command" and "Using adjoin to join a UNIX or Linux computer to Active Directory" earlier in this guide. For more information about how to use adleave and adinfo, see "To check that your deployment is stable" in "Stabilizing the Deployment" earlier in this guide. 3. If the output in step 1 does not show an error, check that the system clocks for the UNIX computer and the Windows computer are synchronized. If they are not in sync, reset the UNIX computer system clock using the date command. See the UNIX man page date(1) for the appropriate syntax for your UNIX or Linux operating system. To check the DirectControl settings on the UNIX computer 1. Log on to the UNIX computer as root. 2. Open the file /etc/centrifydc/centrifydc.conf in an editor, such as vi, and search for the line the starts with pam.deny.users:. Make sure that the user who is trying to log on to the UNIX computer is not listed on this line. Also check to make sure the user is not a member of a group that is restricted from logging on to the UNIX computer based on the settings of the pam.deny.groups line. 3. If the problem still exists, check the contents of the log file /var/log/messages after the user attempts to log on. You can use information in this file to help determine where there might be an issue with the configuration of the software or issues with the user s account. To check the user s settings 1. Log on to the UNIX computer and run the command: getent passwd This command displays both a list of local users and UNIX-enabled Active Directory users. Search the output for the user s name. If the name is not found but other Active Directory users are listed, it is likely that the user has not been added to the Zone that the UNIX computer is a member of. Log on to a Windows computer where the DirectControl software is installed and enable the user in the correct Zone. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 63

69 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 64 If no Active Directory users were listed in the output of the getent passwd command, the DirectControl software is not configured correctly or the Active Directory controller is not available. 2. If the user s name is listed in the output of the getent passwd command, check the settings for the user in the Windows-based DirectControl Administrators console or in Active Directory Users and Computers. For example, make sure the account has not been disabled or that the user has rights to log on to the UNIX computer. In addition to the recommendations above, it is possible to put the DirectControl adclient daemon that runs on the UNIX computer into debug mode. You can do this by logging on as root on the UNIX computer and running the following command: /usr/share/centrifydc/bin/addebug on Running this command enables extensive ongoing logging information related to the DirectControl software to be written to the UNIX file /var/log/centrifydc.log. You can use this file to further diagnose the cause of any problems or to enable Centrify s support staff to assist with resolving any issues. For more information about resolving logon issues for users, see the guide Troubleshooting authentication and authorization in the Centrify DirectControl Administrator's Guide. Assessing Capacity After you deploy the DirectControl solution, conduct a careful analysis of the new environment to ensure that your network and domain controllers have enough capacity to handle the new load of UNIX users and computers in the Active Directory domain. Although the DirectControl solution includes technology that reduces resource usage and domain controller traffic between a UNIX computer and the Windows domain controller, it is still important to evaluate the volume of traffic incurred by UNIX users and computers. As a result of this capacity management analysis, you might need to make some changes to ensure optimal performance and availability. For example, if your organization has a small number of UNIX computers in the same location as a large number of Windows computers, and all users accessing the few UNIX computers are existing Windows users, deploying DirectControl to implement the End State probably causes only a minimal impact on your network or domain controllers. However, the following factors might require allocating additional resources: If UNIX or Linux computers are in a different location than the domain controllers that they need to access, consider installing a domain controller closer to the UNIX computers. If you need to ensure availability in the event of a network or server failure, ensure that you have an adequate number of domain controllers. If you add a large number of UNIX users to the Active Directory domain, you must apply your standard measures for balancing domain controllers per numbers of users. If you add a large number of UNIX computers to the Active Directory domain, you must apply your standard measures for balancing domain controllers per numbers of computers. If you move a large number of UNIX computers from a local directory (that is, /etc/passwd) to Active Directory because authentication and authorization requests are now done over the network, you might require additional network bandwidth. DirectControl employs a number of techniques for caching credentials and reducing the amount of network traffic required for information lookups in the directory. This is a major area of differentiation between the DirectControl solution and similar solutions based on Open Source technology. For example, if a UNIX user executes the ls l command at a UNIX command shell, a listing of files and the attributes such as the owner of each file CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 64

70 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 65 are looked up and displayed. The file s owner is stored as a number the user s UID in the properties area for the file on the UNIX computer. Since the ls command displays the owner as a name, not a number, the ls command must look up actual user name associated with the owner s UID. Since the UIDs and user names are stored in Active Directory, this lookup must be serviced by the Active Directory system. If there are a lot of files that are displayed when the ls command is executed, then there will be a lot of look up traffic between the UNIX computer and the Active Directory system. DirectControl reduces this traffic by caching the lookups so that the information does not have to be retrieved from the Active Directory system every time a lookup is required. Commands will look in the local cache first for the relevant information instead of retrieving the information from Active Directory every time. Typical Open Source based solutions do not have a caching capability. Therefore there will be substantially more network traffic and load on the Active Directory domain controllers once UNIX computers are set up to use Active Directory for authentication, authorization and other directory services. Reporting and Auditing One of the key strengths of the Centrify DirectControl solution is its robust reporting capability. DirectControl includes several standard reports that provide summarized and detailed information about your UNIX users, groups, computers, Zones, and licenses. The Running reports guide in the Centrify DirectControl Administrator s Guide describes the reports that you can produce with DirectControl and how to generate and export the report data. You can use the Centrify DirectControl Administrator Console to create reports about all of the UNIX users, computers, groups, and Zones that you define and the properties associated with each of them. In addition to providing detailed lists of user names and properties, reports provide you with different views of the information. For example, you can view computers grouped by Zone or users grouped by application license. You can also use reports to periodically check the integrity of Zones across the Active Directory forest and to verify which users have access to specific computers, Zones, and applications. Reports can help simplify accounting and auditing of user access and provide the information you require for business planning and regulatory compliance. By default, reports include information for all UNIX users, groups, computers, or Zones depending on the type of report you select. You can, however, filter report information to include only specific Zones, specific user accounts, or other attributes. After you generate a report, you export the report to a variety of formats. Because each time you select a report, you generate a new snapshot of your environment, exporting a report allows you to save the report content for comparison over time. Depending on the format you select, you can then print, distribute, format, and manipulate the report information. You can export the report to the following formats: Microsoft Excel (.xls) Microsoft Word (.doc) Rich Text Format (.rtf) Adobe Acrobat (.pdf) For example, after generating a report with information on all the users that are enabled in each Zone, you can export it to Microsoft Excel (.xls) format, and then import the information into an Excel Worksheet to create a Charge Back report on account usage for each department. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 65

71 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 66 Major Milestone: Operations Readiness Complete Your deployment of the Centrify DirectControl solution to reach a stable the End State is now fully operational. The operations and support staff are maintaining the solution and performing day-to-day tasks, such as: Managing various aspects of the DirectControl solution, including administration of the following: The DirectControl product Directory services Security DirectControl Zones Using the DirectControl solution to streamline service desk operations. Using the reporting and auditing features of DirectControl. Technically, the guidance for using the DirectControl product to reach the fully deployed and operational End State in a production environment is now complete. However, there are other scenarios beyond the one defined by the End State where a centralized Active Directory solution for security and directory services can have major potential benefits for your organization. The next section explores some of these scenarios. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 66

72 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 67 Evolving the Centrify DirectControl Solution Now that you have used DirectControl to deploy an Active Directory based security and directory services solution for UNIX and Linux computers, you might want to explore additional ways to take advantage of Active Directory s infrastructure services beyond authenticated logons and authorization. Introduction and Goals This section explores how to extend the DirectControl solution to address some common real-world scenarios. It is designed to be an eye opener and to help you think about solution areas that were potentially not in scope when the migration to the End State was first envisioned. Intended Audience The information in this section is optional and potentially appropriate for all team members. Specific sections should be read by all team members who share a specific role: Developers. Developers, including application developers, can learn how to extend applications to take advantage of the security and directory infrastructure that has been enabled by the DirectControl product. Deployment and Operations Staff. Deployment, operations, and support staff can learn how to apply centralized policy and configuration settings across their UNIX computers by using the Group Policy capabilities of DirectControl. Other topics of interest for administrators are also covered in this section. Knowledge Prerequisites Before reading this section, it is recommended that you read the preceding sections of this guide that cover the functionality and use of the DirectControl product. It is recommended that you familiarize yourself with the following documentation: Centrify DirectControl Administrator s Guide Centrify DirectControl Evaluation Guide Centrify s technical white paper, Centrify's Solution for Migrating UNIX Directories to Active Directory: Leveraging Centrify s DirectControl and Zone Technology to Simplify Migration. You can obtain these documents from Centrify. Determining What the Next Steps are for Your Security and Directory Services Solution The first step in evaluating how to extend your security and directory services solution is to understand how the UNIX computers are used, which applications are typically used, what types of additional IT services you want to enable, and what types of controls you need to apply to the computers in the network. Some of this research can be summarized as follows: The day in the life of a computing session It is important to understand what types of computing sessions you need to support. Are they logon sessions, and, if so, are they character-based logons or graphical logons? Are they on the local computer, or do users log on through a remote mechanism such as ssh? Many UNIX computers have few interactive users but are CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 67

73 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 68 instead used as application servers or computers running database systems or Web applications. What role does Active Directory authentication and authorization need to play for these applications? With DirectControl, users can log on locally and remotely with a variety of methods but always by using their Active Directory credentials. You can also enable session authentication for application sessions, again making use of the user s Active Directory existing session credentials. Single sign-on A seamless computing experience is typically more than just having a single user name and password for all computers. Users appreciate the single sign-on experience that is possible with the Windows desktop and server domain environment. How can this seamless, yet secure experience be extended to UNIX and Linux platforms and applications running on these computers? DirectControl supports methods for single sign-on computing by using Kerberos ticket-based authentication and by using standard mechanisms such as Generic Security Service Application Program Interface (GSS-API) and Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) for silent application authentication and directory service enabled applications. Application migration Existing applications on UNIX or Linux were not built to be aware of Active Directory and therefore will not work in an Active Directory environment without modifications. Or will they? In reality, many UNIX applications can run in an Active Directory environment with a small number of configuration changes or minor code modifications. Some UNIX applications can only be made to work with Active Directory using legacy mechanisms such the Network Information Service. Other UNIX applications can take advantage of standards-based mechanisms for application and platform interoperability in an Active Directory environment. DirectControl uses the existing UNIX or Linux operating system infrastructure for making Active Directory services available to the platform. After the deployment of the DirectControl solution, applications and services that are PAM-aware are now Active Directory aware. Services that use the name service switch system can now transparently access Active Directory. DirectControl also includes an Active Directory enabled NIS server that interfaces with computers and applications that need to use the NIS protocol. How is data securely accessed? File sharing and access to data on distributed systems are essential for most corporate computer users. How can authenticated users on one UNIX computer access files they need to access on other UNIX or Windows computers? The Server Message Block (SMB) protocol is the standard for file sharing between Windows computers. Windows users can use their Active Directory credentials to access files on other Windows computers in a secure yet easy way. DirectControl extends the UNIX authenticated session capabilities to allow secure bi-directional file sharing between UNIX, Linux, Macintosh, and Windows computers by using SMB protocols and solutions. Enforcing computing access and policy Enforcing computing policy is now more than just a security or operations requirement. Compliance with legal and government mandates for data and system access for both corporate and customer information is becoming a major concern for corporations. How can you extend Active Directory to better control and monitor UNIX and Linux computers? DirectControl handles this challenge at two levels: you can manage computers more effectively by using Group Policy and other Active Directory based tools to enforce policy and system configuration, and you can monitor the computers through robust CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 68

74 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 69 reporting capabilities that are built into the Centrify Administrator DirectControl Console. What about other platforms? This guide has focused on extending Active Directory security and directory services to UNIX and Linux computers. What about other platforms, such as Apple s Macintosh, IBM s AS/400, and mainframe computers? Centrify has extended its product family to support the Apple Macintosh OS X operating system. Having identity management for all non-windows platforms tied to Active Directory and managed from one console the Centrify DirectControl Administrator Console means that users have only one set of credentials to remember across all computers and that administrators have only one interface to use to set up and manage identity. Centrify plans to continue to invest in extended platform support based on input from customers. The themes highlighted above are just a few of the areas that you might consider as next steps. Professional services organizations and consulting groups from vendors such as Centrify can help organizations explore possibilities beyond the scenarios covered in this guide. While each of these areas could fill its own solution guide, it is worth highlighting two areas in more detail because they are likely to be scenarios for virtually every customer. The first topic addresses enabling UNIX applications to work with the authentication, authorization and directory services infrastructure that is provided with Active Directory. The second topic covers some of the basic elements of extending security and access controls for UNIX computers through centralized Group Policy methods. Expanding Single Sign-On Capabilities to Applications Providing centralized authentication and authorization to UNIX computers to enable logons with Active Directory credentials offers major benefits for an organization. However, many companies see this as only the first step towards a single identity infrastructure that embraces sessions, applications, data, and beyond. Active Directory uses Kerberos and LDAP standards-based technology and DirectControl uses these same standards as well as de facto standards for enabling authentication and authorization services (for example, PAM or NSS). As a result, you can enable many applications to be Active Directory aware with relatively little work. This section provides an overview of four technology areas that support extending applications with these services: Kerberos, PAM, Web-based methods, and NIS. All four of these application authentication and authorization mechanisms are supported in the standard DirectControl product. Using Kerberized Applications Kerberos has been a de facto standard for authentication on both Windows and UNIX platforms for many years. The basic Kerberos technology is freely available from Massachusetts Institute of Technology (MIT) and other sources and is also available as commercial product technology in both network infrastructure products and in applications. Kerberos is used as the default method for authentication in Active Directory. When a user logs on to a computer that uses Active Directory authentication, a Kerberos ticket is issued to the user and that ticket allows the user to access data, applications, other computers, and other sessions without having to present user credentials again. In a Windows-based network, much of the single sign-on experience that allows a user to browse network shares or run server applications such as Exchange is enabled through the Kerberos silent authentication and ticket mechanism. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 69

75 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 70 Fortunately, in a UNIX environment, Kerberos is also well established; many applications are already Kerberos-aware and include built-in support for making use of a user s Kerberos ticket. These applications include telnet, SSH, and SMB-related technologies such as Samba. When you install DirectControl on a UNIX computer and join that computer to an Active Directory domain, a complete standard Kerberos system is also automatically installed and correctly configured on that computer. Correctly configured means that the UNIX computer has joined the Active Directory Kerberos realm and that Kerberos requests are forwarded and correctly serviced by the Kerberos system running on the Active Directory server. To the UNIX computer, Active Directory looks like any other standard Kerberos authority. Therefore, you can expect any Kerberized application to just run after DirectControl is installed. To demonstrate how this works, install a recent version of Samba (version 3.0.x or later, available from on your UNIX or Linux computer. Make sure that the smbclient utility is also installed. Smbclient allows a UNIX user to browse an SMB file share on any computer, including a share on a Windows file server. An smbclient option lets Kerberos be used as the method for silently passing the user s credentials to the domain controller. You can use the steps in the following procedure to illustrate this capability. To illustrate the capability of a Kerberos application using Active Directory credentials 1. On a Windows file server (called, in this example, centrifyad) create a shared folder called Sharedir and grant domain users write access on the share. 2. Log on to a UNIX or Linux computer with an Active Directory user account. 3. Type the following command to change to the /etc directory so that you can copy a file to a Windows file share: cd /etc 4. Type the following smbclient command with the -k (that is, use Kerberos silent authentication) option to access the file share, and then copy a local file to that share using the put subcommand. smbclient -k //centrifyad/sharedir put passwd dir The above commands produce the following output: $ cd /etc $ smbclient k //centrifyad/sharedir OS=[Windows Server ] Server=[Windows Server ] smb: \> put passwd putting file passwd as \passwd (86.3 kb/s) (average 86.3 kb/s) smb: \> dir. D 0 Tue Jul 5 21:52: D 0 Tue Jul 5 21:52: passwd A 1502 Tue Jul 5 21:52: blocks of size blocks available smb: \> 5. On the Windows computer, open Sharedir and confirm that the file passwd was copied to the server. 6. Right-click passwd, click Properties, and verify that passwd was created on Sharedir with the appropriate ownership and properties. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 70

76 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 71 Numerous books are available for developers that describe how to write Kerberosenabled client and server applications or that provide more detail on existing applications that support Kerberos. O Reilly s Kerberos: The Definitive Guide at is a good reference for further information about Kerberos and Kerberos applications. Using PAM-Aware Applications Pluggable Authentication Modules (PAM) is a technology that is supported on Linux, Sun Solaris, and other UNIX computers as a means to provide a flexible mechanism for authenticating users regardless of the underlying authentication system. PAM supports the standard logon-enabled programs on UNIX (for example, login, ftpd) as well as other programs that rely on user authentication (for example, Samba or mail servers) PAM relies on configuration files that direct the application to try one or more authentication methods when the user invokes an application session. For example, you can configure login to try the local password file first and then try Active Directory authentication if the first method fails. After a user is authenticated, further action can be taken to service the session. For example, if a user does not have a home directory, it is possible to configure PAM to automatically create the user s home directory on first login. According to the FAQ on Linux-PAM at PAM provides a way to develop programs that are independent of authentication scheme. These programs need authentication modules to be attached to them at runtime in order to work. Which authentication module is to be attached is dependent upon the local system setup and is at the discretion of the local system administrator. DirectControl includes a PAM module, pam_centrifydc.so, which directs PAM requests to Active Directory. This PAM module is automatically configured as the initial authentication method in the master system-auth PAM configuration file. This means that any PAM-enabled application is automatically configured to use Active Directory authentication through DirectControl. For example, a user can log on to the computer using SSH with their Active Directory credentials. Because SSH is a PAM-based application, this capability is enabled without having to make any changes to the SSH daemon or to the SSH client. For more information about existing UNIX applications that are PAM enabled, see the Linux Kernel Archives PAM Modules Web site at Developers who want to write applications that can use the services provided by PAM can consult The Linux-PAM Module Writers' Guide at O Reilly s Writing PAM-Capable Applications at or other developer documentation. Using DirectControl for Web-based Single Sign-On A variety of Web servers and Java-based application servers are available on Linux and UNIX platforms. In most cases, these Web platforms provide some type of native authentication and authorization system for Web developers to use for Web-based applications. With DirectControl, you can extend these native interfaces to seamlessly connect to Active Directory for authentication and authorization, enabling Web applications with a single sign-on capability. Centrify provides authentication and authorization services for Web applications through custom modules that can be called directly from within a given Web application. These modules include the following: CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 71

77 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 72 DirectControl SPNEGO module. This module allows Microsoft Internet Explorer to silently and securely pass the client user identity to a Web application hosted on an Apache Web server that runs on a UNIX computer. Simple and Protected GSS-API Negotiation Mechanism (shortened to SPNEGO; GSS-API stands for Generic Security Services Application Programming Interface) is an HTTP authentication mechanism that is used by Microsoft Internet Explorer and by the Microsoft Internet Information Services (IIS) Web server for Kerberos-based user authentication. GSS- API libraries are also included with DirectControl. According to the GSS-API entry in the Internet FAQ Archives at The GSSAPI is a generic API for doing client-server authentication. The motivation behind it is that every security system has its own API, and the effort involved with adding different security systems to applications is extremely difficult with the variance between security APIs. However, with a common API, application vendors could write to the generic API and it could work with any number of security systems. How does this relate to Kerberos? Included with most major Kerberos 5 distributions is a GSSAPI implementation. Thus, if a particular application or protocol says that it supports the GSSAPI, that means that it supports Kerberos, by virtue of Kerberos including a GSSAPI implementation. DirectControl Java/J2EE modules. These modules provide the ability to authenticate and perform access control for Java/J2EE applications. For example, the Java Authentication and Authorization Service (JAAS) module is a general purpose module for logging on a user in the Java world. This is very similar to a PAM module; in fact, the JAAS authentication scheme is modeled on PAM. The JAAS module can operate in one of two modes: Silent. In Silent mode, the user is not prompted for a user name or password. Instead, the module queries the underlying operating system to determine who this user is and, if the user is found, the module sets up the user s credentials for later use. Prompted. In Prompted mode, the JAAS module asks the application to prompt the user for a user name and password. When the user responds, the module then validates this data and stores the user s credentials for later use. DirectControl Tomcat module. The Open Source J2EE server, Tomcat provides two main interfaces for controlling security: realms and authenticators. The realm specifies the mechanism for looking up user credentials in a database, and authenticators perform authentication by using a specific mechanism or protocol. Centrify DirectControl for Tomcat provides a JAAS realm that allows different authenticators, such as BASIC authentication and FORM authentication, to verify a user s name and password combination against Active Directory. In addition to supporting the Centrify DirectControl JAAS realm, Centrify DirectControl for Tomcat provides an SPNEGO authenticator that allows transparent authentication that uses Kerberos tickets when users access the application through Internet Explorer. Installing Centrify Direct Control for Tomcat makes it easy for the application developer or IT administrator to map Tomcat roles to Active Directory groups to provide additional control over which users can access the application or perform certain tasks. Tomcat applications can use DirectControl to automatically map Active Directory groups to Tomcat role names. To use the SPNEGO authenticator for transparent authentication when users access the application with Internet Explorer, you need to modify the authentication method defined in the application s web.xml file. For example, instead of using FORM or BASIC authentication, you can specify SPNEGO authentication. The Centrify DirectControl Evaluation Guide provides instructions for setting up an evaluation environment to demonstrate Active Directory authentication and authorization with the Tomcat Web server CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 72

78 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 73 You can find complete instructions for using the DirectControl SPNEGO, Java/J2EE, and Tomcat modules in the Centrify DirectControl Administrator s Guide. You can find examples for demonstrating the capabilities of the modules in the DirectControl Evaluation Guide. DirectControl also provides Active Directory-based authentication and authorization modules for other J2EE application servers, including JBoss, BEA s WebLogic and IBM s WebSphere. Supporting Legacy NIS Applications When Centrify DirectControl is installed on a UNIX computer, the Name Service Switch (NSS) configuration file, nsswitch.conf, is modified so that account lookup requests are passed to Active Directory through the adclient daemon. By sending these requests to Active Directory, DirectControl bypasses the standard Network Information Service (NIS) or other services. In some organizations, however, bypassing NIS might be problematic. For example, you might use applications, such as automount, that require access to a NIS server because they send requests directly to the NIS port and expect a NIS process to be listening there. You might also have computers or devices, such as Network Attached Storage (NAS) devices, on which you cannot install the Centrify DirectControl Agent but that need access to the account and group information that you store in Active Directory. For computers and applications that submit lookup requests directly to a NIS server listening on the NIS port, DirectControl includes its own version of NIS. The Centrify DirectControl Network Information Service relies on its own daemon process, adnisd, to receive and respond to NIS client requests. The Centrify DirectControl Network Information Service is an optional addition to the Centrify DirectControl Agent and can be installed on one or more DirectControl-managed computers, as needed. After the DirectControl Network Information Service is installed and running, it functions just like a standard NIS server but responds to NIS client lookup requests by using information stored in Active Directory. Although you can leave standard NIS servers in place on your UNIX network, using the DirectControl Network Information Service lets you centralize all directory service operations with Active Directory. After you import all relevant data into Active Directory and configure the NIS clients to use the Centrify DirectControl Network Information Service, you can decommission your legacy NIS servers. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 73

79 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 74 The following figure illustrates the functionality of the Network Information Service included with DirectControl. Figure An example of the Network Information Service included with DirectControl As indicated in the figure, a Zone of UNIX computers called Finance Zone has been created. The UNIX computers that are not managed by DirectControl but need access to the information stored in Active Directory can be configured to send their NIS requests to the DirectControl managed UNIX computer on which the DirectControl NIS daemon runs. The NIS daemon passes these requests to the DirectControl daemon (adclient) that, in turn, connects to Active Directory to retrieve the requested information. Active Directory returns the information from the data stored in the appropriate NIS map and the information is passed back through the DirectControl NIS daemon (adnisd) to the client that made the request. NIS maps stored in Active Directory can be maps imported directly from an existing NIS server and domain or imported from existing text files. The Centrify DirectControl Administrator Console provides the interfaces for importing, creating, viewing, editing, and deleting the maps. Enabling Configuration and Access Control with Active Directory and Group Policy One of the most requested features for Centrify s DirectControl product is the requirement to extend Microsoft s Group Policy system to UNIX, Linux, and Macintosh computers. For many companies, centralized policy and configuration control is just as important as centralized identity management. Applying Domain-wide Policy through Active Directory After you deploy the End State in your production environment, a logical next step is to review policies and mandatory configuration settings that are currently enforced for Windows computers through Group Policy and evaluate the potential applicability of these policies for UNIX, Linux, and Macintosh computers. You can apply some of these CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 74

80 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 75 policies directly with Active Directory without the need for any Group Policy components on the UNIX computer. For example, most organizations establish a policy for password strength. You can view or modify this policy by using the Default Domain Security Settings console (displayed by clicking Domain Security Policy under Administrative Tools). After you save these settings, they automatically apply to UNIX users who use DirectControl for Active Directory authentication. This occurs because the Active Directory engine is used for authenticating the UNIX user and Active Directory is governed by these policy settings. Figure Typical Windows domain policy settings for password strength Applying Policy for UNIX Users and Computers with Group Policy Ideally, if you want to apply specific policies for non-windows computers, you do this from the same central system that handles Windows-based policy. To satisfy this requirement, Centrify DirectControl Group Policy lets you extend the configuration management capabilities of Windows GPOs to managed UNIX computers and users. Centrify DirectControl includes a Group Policy component that runs on the UNIX computer but is controlled through the Group Policy engine on Windows. This section provides an overview of key concepts for working with group policies and GPOs in an environment that includes UNIX users and UNIX computers. For more detailed information about creating and managing group policies and GPOs, see the Centrify DirectControl Administrator s Guide and Windows or Active Directory documentation. When you define Active Directory group policy settings, the settings are stored in a GPO. Each GPO can consist of configuration information that applies to computers, configuration information that applies to users, or sections of policy specifically devoted to each. You link a GPO to an Active Directory OU, domain, or site, and then the policies are applied based on an established hierarchical order. Because a GPO represents a complete collection of configuration details, each GPO includes configuration attributes stored in Active Directory objects and a set of Administrative templates. Administrative templates define the set of configuration options available and how the settings are displayed and configured in the Group Policy Object Editor. There is a default set of administrative templates created with any new GPO. These administrative templates are stored as files with the.adm extension. The default CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 75

81 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 76 administrative templates are primarily intended to provide configuration options for Windows users and computers. With DirectControl, you can configure some settings in the default administrative templates that apply to UNIX users or computers. For most of the configuration settings that apply to UNIX users or computers, you must use the Centrify DirectControl administrative template, centrifydc.adm, which you can install when you run the setup program on a Windows computer. In a Windows environment, most of the configuration settings defined in GPOs are implemented through entries in the local Windows registry. For UNIX computers, local configuration details are typically defined through a set of configuration files stored in the /etc directory. In addition to having configuration information stored in different ways, the Window and UNIX environments typically require different specific configuration options to work properly. To address these differences between the platforms and to extend group policies so that they can apply to UNIX computers and users, Centrify DirectControl: Provides its own administrative template to define UNIX-specific configuration settings. Uses the adclient daemon to collect configuration details from Active Directory based on the GPOs and maintains a virtual registry of those configuration settings on the local UNIX computer. The virtual registry is a collection of files that contain all of the group policy configuration settings from the group policies applied to the computer through the group policy hierarchy. DirectControl uses a set of mapping programs to read the files, determine the settings that are applicable to UNIX computers, and make the appropriate changes in the corresponding UNIX configuration files to implement the configuration specified. The following figure illustrates how group policy settings are applied to a UNIX computer through DirectControl. Figure How DirectControl applies Group Policy to a UNIX computer Each GPO includes several default administrative templates (.adm files) that define the set of configuration settings available and how the configuration settings are presented in the Group Policy Object Editor. To include the DirectControl configuration settings for UNIX in a GPO, you need to add the Centrify DirectControl administrative template, centrifydc.adm, to the GPO in the editor. You can accomplish this by using the following procedure. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 76

82 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 77 To add centrifydc.adm to the GPO: 1. Make sure that the following steps are completed: The Centrify DirectControl Windows software is installed on the Windows computer that you use to perform this procedure. The Group Policy Templates were installed when you installed DirectControl. If you are not sure whether the Group Policy Templates component is installed, re-run the DirectControl setup program on the Windows computer you are using. 2. Click Start, select Run, type mmc, and then click OK. 3. In the MMC console, click File, and then click Add/Remove Snap-in. 4. Click Add, select Group Policy Object Editor, and then click Add. 5. On the Welcome to the Group Policy Wizard page, click Browse, select Default Domain Policy, and then click OK. 6. Click Finish, click Close, and then click OK. 7. Expand the tree for Default Domain Policy, and then expand Computer Configuration. 8. Right click Administrative Templates, and then select Add/Remove Templates. 9. In Add/Remove Templates, select Add. 10. Browse to the inf directory in your Windows directory. 11. Double click centrifydc.adm. 12. Select Close. 13. You can view or modify group policy settings for computers or users in the domain as follows: View or modify group policy settings for domain computers under the Default Domain Policy Computer Configuration Administrative Templates CentrifyDC Settings area. View or modify group policy settings for domain users under the Default Domain Policy User Configuration Administrative Templates CentrifyDC Settings area. CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 77

83 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 78 After you add the Centrify DirectControl administrative template to a GPO, you can use the Group Policy Object Editor to assign values for the settings provided by the template. The following screenshot shows an example of a policy configured to deal with UID conflict resolution. With this example policy, when a user logs on, if PAM discovers that the user s Active Directory record has the same UID or the same user name as a local system account, the system does not allow the user to log on. Figure A policy that disables a user logon if there is a UID conflict by using the Group Policy Editor with the DirectControl administrative template CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 78

84 WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL 79 Summary The migration to the End State using Centrify s DirectControl lets you use Active Directory to authenticate UNIX clients with Kerberos and to access UNIX authorization and identify information with LDAP. The DirectControl solution is both flexible and extensible. Numerous features built into the DirectControl architecture support extending Microsoft-based authentication, authorization, access control, and policy well beyond centralized identity management for UNIX and Linux computers. Support for identity-enabled applications that take advantage of your organization s Active Directory investment can provide substantial benefits in terms of increased enduser productivity, enhanced ease of management, and improved access control and security. Features for controlling user, data, and application access enable organizations to better manage who gets access to what resources regardless of the platform that they use. The ability to track and report computer access and user privileges and take quick centralized action if necessary to remediate security issues helps you take control over heterogeneous computing platforms. These capabilities also help you stay compliant with regulatory authorities. All of these features and more are supported out of the box with the Centrify DirectControl suite. For more information about the Centrify DirectControl product family, access to detailed white papers describing typical customer scenarios and product comparisons, or to obtain evaluation copies of the products covered in this guide: Visit the Centrify Web site at Send to Centrify: [email protected]. Call Centrify: CENTRIFY CORPORATION ALL RIGHTS RESERVED. PAGE 79