Professional Documents
Culture Documents
Evaluation Guide
November 2011
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time. 2004-2011 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Centrify Suite is protected by U.S. Patents 8,024,360 and 7,591,005. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.
Contents
About this guide
5
Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conventions used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Where to go for more information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 1
Start Here
11
What is Centrify Suite? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 How Centrify Suite Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 How to deploy Centrify Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 2
29
Windows requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 UNIX requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Site Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Software installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Stage 1: Windows system software installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Stage 2: UNIX system(s) software installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Reboot UNIX computer(s). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 3
55
Create and delegate OU for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 First time setup with the Administrator Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Add UNIX users and create Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Create groups, add users, assign role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Join UNIX computer to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Log in to the UNIX computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Make machine-level adjustments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Show Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Chapter 4
83
Create admin groups and add users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Create new privileges, roles and assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Create computer role and assign group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Delegating Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Making Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Where to next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Chapter 5
97
Understanding DirectControl Administrator Console reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Running DirectControl Administrator Console reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Creating and modifying report definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Chapter 6
103
Centrify Suite UNIX adtools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 ADEdit overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Script Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Inside the script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Chapter 7
113
Using AD group policies for UNIX users and computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Understanding Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Adding Centrify Suite group policies for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Group Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Chapter 8
123
Evaluation System Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Installing the DirectAudit components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Replay example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Chapter 9
133
Enable audit on the UNIX systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Auditor Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Direct Audit UNIX Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Evaluation Guide
Windows Start-menu utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Administrator Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Close sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Where to next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Chapter 10
145
Appendix A
151
Appendix B
155
Creating and importing NIS maps in the default zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Starting the adnisd daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Testing adnisd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Appendix C
159
Remove agents, NIS and OpenSSH from UNIX computer(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Remove DirectAudit from Windows systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Remove DirectManage components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Index
165
Contents
Evaluation Guide
Web applications and application servers, such as Apache, Tomcat, JBoss, and WebLogic databases such as DB2, and enterprise applications such as SAP.
Centrify Suite is composed of an integrated set of software components you install on a Windows workstation and on each UNIX/Mac OS/Linux/AIX/HP UX/... computer. The services and tools automatically route login attempts to the UNIX computers through the Active Directory domain controller and give administrators the ability to create escalated privileges, define roles and provision rights to the UNIX systems. The Centrify Suite provisioning model uses a simple, natural method that simplifies the on-going administration and maintenance and assures highly granular delegate administration. The broad business benefits include: One management framework: Centralizes the administration of complex environments into a well-organized management framework built on Active Directory.
Simplified day-to-day access and privilege administration: Natural integration of the UNIX systems into existing support processes and work flows. Fine security granularity: Enforces a Least Access policy, granting limited access based on business requirements only, to protect sensitive systems and information. Separation of duties: Granular delegation based on Active Directory access control policies and security boundaries. Rapid deployment/integration: Integrated tools that automate UNIX system discovery and analysis, software installation and joining to the Active Directory domain.
Intended audience
This book is intended for system and network administrators tasked with assessing the suitability of the Centrify Suite to their environment. The guide assumes you have a working knowledge of Windows Server and Active Directory and are familiar with Active Directory features, functionality, and terminology. This guide
also assumes you are familiar with your UNIX-based systems and how to perform common administrative tasks.
font is used for sample code, program names, program output, file names, and commands that you type at the command line. When italicized, the fixed-width font is used to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments.
Fixed-width
Bold text is used to emphasize commands, buttons, or user interface text. The variable release is used in place of the specific release number in the file names for individual Centrify Suite software packages. For example, centrifydc-release-sol8sparc-local.tgz in this guide refers to the specific release of the Centrify Suite Agent for Solaris on SPARC available on the Centrify Suite CD or in the Centrify Suite download package. On the CD or in the download package, the file name indicates the Centrify Suite version number. For example, for a 3.0.0 package, the file is centrifydc-3.0.0-sol8sparc-local.tgz.
Evaluation Guide
Chapter 2, Setting up the evaluation environment: Continue with this chapter to install the Centrify Suite software on your Windows workstation and UNIX computer(s). Chapter 3, A&A: Basic Authentication and Authorization: This chapter begins the configuration of the evaluation system. In this chapter, the instructions guide you through several exercise that end with users logging on to the UNIX computer(s) in your network using Active Directory accounts. Chapter 4, A&A: Just in time provisioning: This chapter continues the configuration.The exercises in this chapter demonstrate how to use Active Directory groups and Centrify Suite tools and features to generalize user and group rights and roles where you can and apply them with fine, granular precision where you need to. Chapter 5, A&A: Administrator Console reports: This chapter describes the Administration Console reports available to display and generate hardcopy on your system configuration. Chapter 6, A&A: DirectManage UNIX adtools: Thus far, the exercises used the Windows workstations Active Directory and Centrify Suite console interfaces. This chapter describes the UNIX tools, including a powerful, command-line interface utility, included in the suite. Chapter 7, A&A: Active Directory Group Policy Controls: Centrify Suite supports the use of Active Directory Group Policy objects for the UNIX computers. This chapter shows how to use the Microsoft Management Console Group Policy Object Editor to enable several Centrify Suite policies. Chapter 8, Audit: Set up the evaluation environment: The Centrify Suite Enterprise Edition includes the DirectAudit auditing tool. This chapter introduces the DirectAudit architecture and features and describes how to install the software on the Windows and UNIX nodes you want to monitor. Chapter 9, Audit: Session replay and management: This chapter describes the DirectAudit consoles interfaces and session management tools. Chapter 10, Completing the evaluation: Theres a lot to consider for your evaluation and a lot is offered in Centrify Suite. This chapter helps you approach the analysis systematically. Appendix A, Using Centrify Suite with SSH: Although many UNIX systems have an sshd server installed, many are older implementations that do not support Kerberos. Centrify Suite includes a compiled version of the latest OpenSSH distribution with Kerberos support. This appendix explains how to use it. Appendix B, DirectControl Network Information Service: For computers and applications that submit lookup requests directly to a NIS server listening on the NIS port, Centrify Suite includes its own DirectControl Network Information Service. This appendix tells you how to install and test it.
Appendix C, Remove Centrify Suite components: This appendix describes how to remove the Centrify Suite components from the Windows and UNIX computers.
Centrify Suite Administrators Guide (AdminGuide.pdf): Provides information on how to perform administrative tasks using the Centrify Suite Administrator Console and UNIX command line programs. The Administrators Guide focuses on managing your environment after deployment. Centrify Suite ADEdit Programmers Guide (ADEditGuide.pdg): This Evaluation Guide introduces the adedit UNIX command-line tool. Scan through this book to learn about all of adedits features and functions. Centrify DirectAudit Administrator Guide (DA_AdminGuide.pdf) DirectAudit helps you comply with regulatory requirements by collecting detailed audit and log records of user activity on UNIX and Windows systems. This book explains in detail how to install, configure and use DirectAudit. For more information about DirectAudit, you should also visit the Centrify DirectAudit web page: www.Centrify.com/DirectAudit
We also recommend the following books in the Centrify Suite if you have questions or need for a more comprehensive view: Centrify Suite Group Policy Guide (GroupPolicy.pdf): Contains instructions on the use of the Centrify Suite group policies to customize user-based and computer-based configuration settings.
Centrify Suite Configuration Parameters Reference Guide (ConfigParameters.pdf): Provides the reference information about the Centrify DirectControl configuration parameters that enable you to customize your environment. Many of these settings can also be controlled through group policies. DirectControl for Web Applications Authentication Guide for Apache (Web_Apache.pdf): Describes how to use the Centrify Suite with Apache Web servers and applications to provide single sign on authentication and authorization services through Active Directory.
Evaluation Guide
Contacting Centrify
DirectControl for Web Applications Authentication Guide for Java Applications (Web_Java.pdf): Describes how to use Centrify Suite with J2EE applications to provide single sign on authentication and authorization services through Active Directory. If you are using Centrify Suite with Java servlets, such as Tomcat, JBoss, WebLogic, or WebSphere, you should refer to this supplemental documentation for details about how to configure your applications to use Centrify Suite and Active Directory.
A number of other manuals are also provided in the Documentation directory, including release notes and the documentation for the Centrify versions of the Samba and PuTTY programs and Network Information Service (NIS). The UNIX utilities also included comprehensive man pages. In addition, check out the Centrify Resource Center at http://www.centrify.com/ resources/overview.asp helpful technical videos, application notes, white papers and other materials to help you become more familiar with the Centrify Suite solutions.
Contacting Centrify
If you have a problem during Centrify Suite software installation or configuration, need help with Active Directory configuration, or want clarification on best practices contact your Centrify System Engineer or Technical Support. Go to www.centrify.com/support and login for the Technical Support contact information.
Contacting Centrify
Evaluation Guide
10
Chapter 1
Start Here
This chapter introduces the Centrify Suite components and methods for managing the UNIX users, tools and machines via Active Directory. The following topics are covered: What is Centrify Suite?
How Centrify Suite Works How to deploy Centrify Suite Next Steps
Centrify Suite includes a Windows-based Administrator Console to create UNIX user, group and computer privileges and roles. UNIX command line tools are also included so that you can create and manage the UNIX users and groups in Active Directory entirely from a UNIX terminal. Centrify Suite uses standard Active Directory objects and their attributes to store UNIX user and group profile data; there are no supplementary ID repositories on any Windows systems or UNIX computers. In addition, Centrify Suite includes comprehensive policy templates that let you use the Microsoft Management Console to set up Group Policy Objects with policies for the UNIX computers.
11
Centrify Suite software is available for a wide variety of platforms and supports Active Directory authentication via PAM for userID and password as well as GSSAPI for Kerberos. In addition, it offers options that support single sign on for Web applications, Java and popular databases and access to file shares on a UNIX server using Samba for native Windows SMB protocol support.
The Centrify Suite also pays particular attention to managing the administration complexities that accrete over time on UNIX systems. For example, many of our customers have users with a different user ID on each UNIX computer. It is also common for some users, for example a dba, to have escalated privileges because it was inconvenient to define just the rights required to do the job.
Evaluation Guide
12
Once in place, the Centrify Suite provides the following benefits: Simplicity: You have one ID repository for Windows and UNIX users. Using Active Directory for everyone has several big advantages: UNIX users can have a single, globally unique user ID. You adjust UNIX user and group attributes centrally. You use the same every day tools and user and group objects to manage the UNIX and Windows users, groups and machines. Security: The Centrify Suite approach to UNIX user privileges supports granularity, delegation and inheritance so that you can assign access rights broadly as appropriate and finely to enforce a least access policy. Flexibility: The Centrify Suite hierarchical approach to users, computers, groups and roles lets you construct a security model that aligns with your current practices. You will find that your model is easily updated as users change roles, servers are added or repurposed, and re-organizations shift people into new departments and roles. Protection and compliance: The Centrify Suite DirectAudit option captures and stores UNIX user sessions and GUI activity from Windows sessions. Auditors and network administrators can view or replay session activities to spot suspicious behaviors or troubleshoot problems.
13
tend to give too many users root permission, run unnecessary security risks, and invariably fail audits. By controlling how users access systems and what they can do, DirectAuthorize enables you to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords. DirectManage: Centralized management Centrify DirectManage is an integrated set of tools that centralize the discovery, management and user administration of UNIX and Mac systems through integration into Active Directory-based tools and processes. The tools address both sets of global tasks for managing UNIX users in Active Directory: Migrating identities into Active Directory, managing policies, and generating reports. Deploying, configuring and managing the Centrify Suite solutions. The DirectManage tools also include several utilities you can run from a UNIX computer for querying status and managing Active Directory accounts directly. DirectAudit: Detailed auditing of user activity Centrify DirectAudit helps you comply with regulatory requirements, perform in-depth troubleshooting, and protect against insider threats. DirectAudit's detailed logging strengthens your compliance reporting and helps you spot suspicious activity by showing which users accessed what systems, what commands they executed, and what changes they made to key files and data. With DirectAudit you can also perform immediate, in-depth troubleshooting by replaying and reporting on user activity that may have contributed to system failures. In addition, its real-time monitoring of user sessions enables you to spot suspicious activity. See User session auditing on page 17 for an introduction to DirectAudit. DirectSecure: Secure sensitive information Centrify DirectSecure is a policy-based software solution that secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion. DirectSecure leverages your existing Active Directory infrastructure and the native IPsec support to block untrusted systems from communicating with trusted systems without changing the network or applications.
In this book you install the DirectControl, DirectAuthorize, DirectManage and DirectAudit products. For more information about DirectSecure contact your sales representative. The following figure illustrates where and how the Centrify Suite components fit in your enterprise network.
Evaluation Guide
14
On the UNIX computers, the DirectControl Agent redirects login attempts for validation against Active Directory accounts. The DirectManage UNIX tools enable a UNIX user with permissions to query the status and makes changes to the Active Directory user accounts, Centrify Zones, access rights, roles, etc. The DirectAudit Agent gathers comprehensive user session activity. On the Windows system, administrators use the Active Directory tools to manage users and groups on a day to day basis. When they need to update the configuration, they use the Administrator Console to manage users UNIX properties, Centrify Zones, access rights, user roles and user/group assignments and generate reports.
Deployment Manager to manage Centrify Suite software. DirectManage tools to modify group policies.
As needed, auditors use DirectAudit to replay Windows or UNIX user sessions, monitor sessions, troubleshoot, and extract sessions that meet certain criteria.
DirectManage Components
The DirectManage tools for Windows centralize the discovery, management and user administration of the UNIX systems. Once the configuration is complete, however, you
15
perform your day-to-day, user and group administrative tasks using the Active Directory Users and Consoles and MMC for account and group policy management. The DirectManage tools for Windows include the following: Administrator Console: Use to create the Centrify global and child zones and computer roles AND the individual rights and logical roles (for example, backup operator, application developer, QA tester) you assign to the Active Directory users and groups. You also use the Administrator Console to configure a users UNIX profile and manage computer properties. You make extensive use of the Administrator Console in Chapter 3, A&A: Basic Authentication and Authorization and Chapter 4, A&A: Just in time provisioning. The Administrator Console is the Windows interface to the services provided by DirectControl and DirectAuthorize. Deployment Manager: Use to discover the UNIX systems on the network, and download and deploy the Centrify Suite packages. You can also use Deployment Manager to join computers to the Active Directory domain controller and manage local accounts and groups. You use the Deployment Manager in Chapter 2, Setting up the evaluation environment.
Note
Zone Provisioning Agent: Use to automatically provision users with their Zone privileges. The Zone Provisioning Agent is a service you install on the Windows system that allows you to set up Active Directory groups that correspond to the set of access rights you want users to have within a Centrify Zone. As you add a user to that Active Directory groups, the Zone Provisioning Agent automates provisioning that users rights. You use the Zone Provisioning Agent in Chapter 3, A&A: Basic Authentication and Authorization. Audit Center: Use to replay, review and query user sessions. The DirectAudit Agent collects detailed logs of user activities on UNIX and Windows systems. The Audit Center provides an interface for auditors to replay individual sessions, catalog sessions for review and analysis, develop queries to filter sessions, etc. The Audit Center also provides an administrator interface for delegating auditor privileges and turning audit sessions on and off. You use the Auditor interface to replay and manage sessions in Chapter 9, Audit: Session replay and management. Group Policy Object Editor: Adds policies you can enable in Group Policy objects to manage the UNIX users and computers. The DirectManage also gives you the ability to create your own policies through standard administrative templates for policy definition and Perl scripts. You add the DirectManage group policies and enable several policies in Chapter 7, A&A: Active Directory Group Policy Controls. Report Center: Use to generate pre-defined reports that answer the most common questions asked by compliance auditors and create custom reports. The Report Center is implemented inside the Administrator Console. It provides detailed, global visibility
Evaluation Guide
16
to access rights, privileges, and security policies. You use the Report Center in Chapter 5, A&A: Administrator Console reports.
UNIX command-line tools: A set of tools UNIX administrators can use to view status, join the computer to an Active Directory domain, query Active Directory for UNIX user and group attributes and update records, and make changes to Active Directory accounts. See Chapter 6, A&A: DirectManage UNIX adtools, for the description of the command line tools. Centrify-enabled PuTTY: A popular, open-source client for Windows systems that provides access to remote UNIX machines. Centrify has added robust Kerberos authentication support to PuTTY in order to provide Single Sign-On to UNIX and Linux systems even in complex environments where fully qualified DNS host names may not match the Active Directory computer name. Additionally, Centrify enables GSSAPI Key Exchange to eliminate the need to manage SSH keys across your server population. PuTTY use is demonstrated in Chapter 3, A&A: Basic Authentication and Authorization.
that filter for the use of specific commands, or capture the activity of a single user.
On Windows servers, the DirectControl Agent captures all user input, activity and output including the resulting GUI display updates and changes. The following figure illustrates the DirectAudit components you would find in a mediumsized installation.
17
DirectAudit Components Audited systems: Any UNIX platform supported by Centrify Suite or Windows-based system that has the DirectAudit Agent installed. All audited systems must be joined to the Active Directory domain controller, in the same forest or a trusted forest.
Collectors: Intermediate services that receive, compress and index the data in real time. Multiple collectors for each audit store are supported to ensure that auditing is always active and provide redundancy that ensures session capture cannot be interrupted. If all collectors are down, data is cached on the audited system until a collector is back on line. Audit Store: Repository for the compressed and indexed session data. Designed to provide massive scalability and efficient use of network resources, Audit Stores help scale session databases to multiple instances on separate hosts. Audit Server: Service that provides central management and enforcement of Audit Roles and execution of distributed queries across the Audit Stores. Audit Servers also centrally control, monitor and report on audit stores, audit collectors and audited systems.
Evaluation Guide
18
DirectAudit Console: User interface for searching and replaying captured user sessions and generating reports. Users access the data in the Audit Stores indirectly through the Audit Server. There are two DirectAudit consoles:
Auditor: Enables auditor to search and replay user sessions, retrieve data from captured sessions and generate reports. The administrator can create different auditor roles to limit any one auditors access rights and privileges. Administrator: Enables user to view and administer the configuration of the audited systems, collectors, and audit stores and assign audit roles.
Both consoles (which can be on the same or separate machines) connect to the other installation components through an audit server. Chapter 8, Audit: Set up the evaluation environment describes how to install and configure DirectAudit Agent. For more information go to Chapter 9, Audit: Session replay and management to see what you can do when the system is in place.
X*
X X
* The Express versions of DirectManage and DirectControl do not support centralized management, Zones, or group policy. Contact your sales representative for more information.
19
This view, for example, shows the UNIX user identities in the global Zone. In each Zone tree, you can also see the computers joined and the Zones Authorization rights, roles and assignments that control user access. You use the same window to create Zones, define custom rights, build new roles based on the rights you have created and assign those roles to groups or individual users. Alternatively, Centrify Suite also provides a comprehensive set of UNIX command-line tools designed to enable administrators to manage Active Directory accounts and groups. These command-line tools have also been carefully crafted to support different output options so that they can be integrated with in-house automation or provisioning scripts. For example, you can run the ADEdit Active Directory editing tool from a UNIX computer in the network. ADEdit is designed for administrators who have traditionally administered their systems from UNIX scripts or UNIX CLI and includes a scripting language so administrators can build their own sets of commands.
Evaluation Guide
20
UNIX Agent
The DirectControl Agent package is composed of a daemon, a library of dynamicallyloaded code modules, and Kerberos services. After the computer is joined to the domain controller, the Agent handles the following tasks: Communicates with Active Directory to authenticate users logging on to the UNIX computer and caches credentials for offline access.
Enforces Active Directory authentication and password policies. Enforces Active Directory Group Policy to manage UNIX system configuration and security settings. Provides a Kerberos environment so that existing Kerberos applications automatically work transparently with Active Directory. Maintains time synchronization with Active Directory. Supports single sign on through the Active Directory account for Java- and Web-based applications.
Note
The Agent package also includes DirectManage tools you run from a UNIX console. See Chapter 6, A&A: DirectManage UNIX adtools for the description. DirectAuthorize is tightly integrated into DirectControl and Active Directory; no additional servers or infrastructure is required. DirectAuthorize stores its role and rights data securely in Active Directory Authorization Manager's existing rights-based logical model and data storage schema found in Windows 2003 and later. The Active Directory property extensions are displayed in a separate tab when you select user and group properties. No Active Directory schema extensions are made when you install and use DirectAuthorize. DirectAuthorize meets compliance-driven requirements for "least access" management by allowing organizations to centrally define logical roles (backup operator, DBA, web developer, application administrator, etc.) that carry with them a specific set of rights. You use DirectAuthorize to create the rights, define roles and define the rights available for each role.
Rights describe both the access method and privileges, specifically: PAM (Pluggable Authentication Module) identify specific PAM-enabled interfaces and applications the user can access, such as FTP, Telnet, SSH, or Informix.
Privileged commands identify specific commands the user can run and whether those commands can be run under the user's own account or as another user account. Restricted environments provide strictly controlled access to a defined subset of commands in a DirectAuthorize shell (dzsh). In effect, this grants users access to whitelisted applications only, and automatically grants privilege execution where authorized.
21
Active Directory users or groups can be assigned to one or more roles. A role assignment can apply to all computers in a Centrify Zone or to just a specific computer. For example, in the Engineering Zone the user Chris could be assigned the system administrator role for all computers, and also be assigned a DBA role for a single database server. Thus, roles are a flexible and scalable method for defining users' access methods and privileges for a specific set of systems.
Zones enable migration and management of the most complex UNIX environments to a centralized directory. For example, centralizing the management of multiple UNIX identities that a user may have across an environment with multiple UNIX and Linux systems into a common directory is one of the most pressing problem facing organizations. The Centrify hierarchical Zones support for inheritance simplifies the migration process and enables you to setup a sustainable identity and access management framework within Active Directory that supports different user identities, rights and roles on the UNIX computers. This unique approach enables an enterprise to Define a new, rationalized identity namespace for new hires and new systems in a global Zone.
Integrate and centrally manage existing systems supporting legacy, disjointed namespaces through Zone or computer level attribute overrides. Delegating administration with finer granularity, leveraging native Active Directory object and group ACLs. Enforcing a least access rights model where a role assignment via DirectAuthorize is required to grant access or privileges.
Zone inheritance lets you define of a set of user rights once that are available for role assignment on the parent and all child Zones. Separately you assemble different sets of rights into logical roles (for example, DBA, backup operator, or system administrator) that are inherited down the Zone structure; roles defined higher in the tree can be used within the child Zones. Users and groups do not get access until a role assignment is made. As above, assignments made in the parent give the users the access privileges to all the computers in the parent and child Zones.
Evaluation Guide
22
The following figure illustrates a Zone tree structure in the Administrator Console. The Zone hierarchy is composed of a single global [Parent] and two child Zones: FIN [Finance department] and MKTG [Marketing department]. Each Zone has its own set of branches for Computers, UNIX Data (User, Groups, and NIS maps) and Authorization (Role Assignments, Computer Roles, Role Definitions, and Right Definitions). The right hand pane in this figure also illustrates some Commands (right definitions) created. This rights are only available within the FIN Zone.
Computers
The Computers branch shows all the computers joined to that Zone. The Zone UNIX data and authorizations only apply to the computers listed here. For example, users in the MKTG Zone, do not have access to the redhat computer. If you wanted users in both FIN and MKTG Zones to have access to redhat, it would have been joined to the global zone.
UNIX Data
This branch shows all of the users and groups in the Zone. Each user has a full UNIX identity: UID, GID, home directory, GECOS, and default shell. Similarly, the groups have a unique GID.
Note
For practical purposes, users are seldom members of a child Zone. Instead, all users are in the global Zone. This makes it easier to view and manage all of the UNIX users. The exercises in the next section illustrate this best practice
The UNIX Data branch also includes NIS maps. See Appendix B, DirectControl Network Information Service for more information.
23
In this branch you define the granular access rights, the user roles, the role assignments and computer roles, which give you another level of precision for assigning rights. You use a right definitions to specify an escalated privilege in the same way you use define rights in a sudoer file in UNIX computers. This feature lets you centralize escalated rights and limit their application to a specific set of computers. For example, rights defined in the FIN Zone are not available in the MKT zone You use roles to assemble a set of rights to support a groups specific access requirements. For example, the above picture as four roles FinDSA, a role created just for the Finance Zone department system administrators
FinWSA, a role created just for the Finance Zone for Web system administrators listed, a default role in all Zones to grants no privileges but allows a user account to remain in the system, for example, after it has been terminated login, a default role provides login privilege
You make the role assignment at the level to which it applies to grant the rights with very granular precision.The following figure illustrates how role assignments limit the users rights.
Evaluation Guide
24
Users do not get access to a computer in the Zone until they have their rights assigned. This can be done individually, however, the most common practice is to assign a role to a group. The exercises in the next chapters show you how to define the rights, create roles and assign roles to groups.
Computer Roles
Often, administrators want the ability to create a set of computers within a Zone to which they can define a unique set of access rights. For example, consider a department running an Oracle database: the system administrator wants to grant the Oracle DBAs escalated privileges to just those computers, but they do not want to grant them the same privileges to other computers in the Zone. Computer roles let you assign user and group rights to just the computers in a defined role. You define the computer role, put the member machines in the computer role and then assign the users and groups to the user role. For example, in the following figure the FIN child Zone has the FinApache computer role defined. In that computer role, only members of the FinWeb(@Demo group can use the rights defined in the FinWSA role. How to define rights and roles and assign them in zones and computer roles is described in Chapter 4, A&A: Just in time provisioning.
Machine Zone
A Machine Zone is a set of user, group and role assignments for a specific computer. The main reason behind Machine Zones is the frequent management problem in organizations that have multiple, legacy UNIX computers in which the same user has different UNIX properties (UID, GID, shell, home directory, GECOS) on each UNIX computer. Less
25
often: you may have a computer or small set of computers, that you cannot assemble into a Computer Role on which you need to have a unique set of rights and roles. You use a machine zone to set user attributes and apply access rights at the machine level. For example, in Make machine-level adjustments on page 79 the instructions show you how to define a new UID for a user that applies to a specific computer; on all other computer the user has the UID assigned at the global level.
Second, you install the DirectControl Agent on the UNIX computers. The DirectManage package includes the Deployment Manager to automate and manage Agent deployment across your entire network. This tool is useful to deploy the agent in complex environments with many UNIX computers based on multiple operating systems. Go to page 38 to use Deployment Manager. For simple environments with just a few UNIX computers, all with the same operating system, many experienced UNIX administrators find it more convenient to just download the Agent package and install it using UNIX commands. Go to page 51 to install the Agent manually.
After the DirectManage and Agent software are installed, deployment is complete. Once installed, you can begin creating Zones, adding UNIX user identities and centralizing the UNIX users access control in Active Directory. The remainder of this section expands on the Centrify Suite component descriptions and introduces DirectAudit. If you are eager to get started, confirm that your physical or virtual system meet the configuration requirements (see page 30) and proceed to the pages shown above.
Next Steps
The purpose of this book is to install the Centrify Suite software in your evaluation environment and guide you through a series of configuration steps that demonstrate its major features and advantages. There are two parts to this book: Authentication and authorization: The chapter titles in this part are preceded by A&A. These chapters cover the following topics: Software installation on your evaluation system
Evaluation Guide
26
Next Steps
Adding accounts, groups and UNIX computers to the Active Directory and basic authentication Creating rights and roles and assigning roles to groups Generating configuration queries and reports Centrify Suite command-line tools and scripting language Centrify Suite group policy templates and creating Group Policy Objects
Audit: The chapter titles in this part are preceded by Auditing. There are two chapters in this part: Software installation on your evaluation system and component configuration Replaying and managing sessions Proceed to next chapter to install the Centrify Suite software on your Windows systems and UNIX computers.
27
Next Steps
Evaluation Guide
28
Chapter 2
The following platforms were used to create the screen captures that illustrate the exercises: Windows computer: Windows 7 and Windows XP
Windows Server: Windows Server 2008 UNIX Computer: Red Hat Enterprise Linux
UNIX requirements Site Preparation Software installation overview Stage 1: Windows system software installation Stage 2: UNIX system(s) software installation
29
Windows requirements
Windows requirements
Before installing Centrify Suite in the Windows environment, check the following basic requirements for your Windows workstation and Active Directory server:
For this Windows Server Active Directory domain controller You need this Windows Server 2003 R2 or later. (Active directory must support IETF RFC 2307. This feature was introduced in Windows Server 2003 R2) Windows Server 2008 Separate versions of the Centrify Suite software are provided for 32- and 64-bit systems. Windows system Windows XP Professional Windows Vista Windows 7 Separate versions of the Centrify Suite software are provided for 32- and 64-bit systems. The .NET Framework must be installed on the workstation. If it is not, the Centrify Suite setup program will install it for you.
UNIX requirements
The Centrify Suite DirectControl Agent needs to be installed on each UNIX computer you want to manage through Active Directory. Centrify Suite is supported on a wide variety of platforms, including the following: AIX Debian Intel architecture 32- and 64-bit HPUX Itanium MacOS Red Hat Enterprise Linux Intel architecture 32- and 64-bit and PowerPC Solaris SPARC and Intel architecture 32-bit SuSE Intel architecture 32- and 64-bit and PowerPC Ubuntu Intel architecture 32- and 64-bit
Evaluation Guide
30
Site Preparation
For the full list, go to the Centrify Download Center and click on the Choose System link at the bottom of the Centrify Suite 2012 options.
Note
You must have an account and password to get access to the Centrify Download Center. If you do not already have any account please talk to your support representative and get one. It, for example, has the most up-to-date, Agent packages available for immediate download and an Evaluation Center to help with installation and assessment.
Site Preparation
Are you going to install the Centrify Suite software in a physical lab or a virtual environment? For the purpose of site preparation, it doesnt matter - the requirements for the virtual machines are the same as physical machines. However, there are some additional considerations for virtual environments. In addition to the following site preparation instructions see Using a virtual environment to evaluate Centrify Suite on page 32. To prepare for the evaluation, you need the following: A Windows Server computer that is an Active Directory domain controller and has been assigned a DNS Server role.
At least one Windows workstation that is already joined to the Active Directory domain. The workstation also must have the following console snap ins: Active Directory Users and Computer (dsa.msc): You use this to add the UNIX users to and create the UNIX groups in Active Directory If dsa.msc is not already installed, it is available free from Microsoft. Download and install it at this time. Microsoft Management Console (mmc): You use this to add the Group Policy Object Editor console snap in, add and remove Centrify Settings, and enable group policies. Confirm that the target domain functional level is at least Windows Server 2003. To determine a domains functional level, launch dsa.msc and select the domain. In the Action menu, click Raise domain functional level ... and select Windows Server 2003 or higher.
An Administrator account and password for the Active Directory forest root domain. The forest root Administrator account is the account created when you installed the first Windows server in a new Active Directory site. If you are setting up a separate Active Directory environment for testing purposes, you should have this account information. If you are using an existing Active Directory forest that was not expressly created for this evaluation, you should identify the forest root domain and ensure you have an account on the Windows workstation that is a member of the Domain Admins group to ensure you have all the permissions you need to perform the tests in this evaluation.
Note
31
Site Preparation
At least one UNIX or Linux computer connected to the same network as the domain controller.
Make sure that each UNIX or Linux computer you are testing with includes the Windows DNS server as a nameserver in the /etc/resolv.conf file.
When you configure the DNS Server, you should configure it to perform both forward and reverse lookups and to allow secure dynamic updates.
The virtual environment should also be configured to run as an isolated evaluation environment using Local/Host-only or Shared/NAT networking.
Evaluation Guide
32
For example, this book was tested using the following virtual environment; this would be a good minimum configuration: One Windows Server 2008 (or Windows Server 2003) virtual machine image with 256384 MB RAM, a 4 GB disk image, and using a network address translation (NAT) network connection.
One Windows 7 virtual machine with 1GB RAM, a 60 GB disk image, and using a network address translation (NAT) network connection One Red Hat Enterprise Linux virtual machine image with 256-384 MB RAM, a 4 GB disk image, and using a network address translation (NAT) network connection.
In addition, because the virtual environment runs as an isolated network, each virtual machine should be manually assigned its own static TCP/IP address and host name. After you create the Windows Server virtual machine, you need to configure the server roles for the computer. To evaluate Centrify Suite, the Windows Server virtual machine needs to be configured as: An Active Directory Domain Controller
When you configure the DNS Server role for the Windows Server virtual machine, you should configure it to perform both forward and reverse lookups and to allow secure dynamic updates.
UNIX system(s) software installation: You can use the Deployment Manager to automatically select the appropriate Agent package and install it on your UNIX computer(s), or you can download the Agent package from the Centrify Customer Download Center, extract the package yourself, and run the install.sh script from the UNIX console. Both methods are described below.
Note
This chapter describes installing the DirectManage components only. The Direct Audit installation steps are done separately in Chapter 8, Audit: Set up the evaluation environment. The process begins from the Centrify Suite DVD or iso image. If you do not have the Centrify DVD, go to the Centrify Customer Download Center. You get to the Customer Download Center from the home page. You enter through the Support tab. Select the Customer Support Portal.
33
You are immediately prompted to enter the email address and a password for your account. After your credential are validated you get to the portal page. Select the Customer Download Center link.
Two areas on this page are for people building an evaluation system: Evaluating Centrify Solutions: This page offers step-by-step download and installation instructions that parallel this book. (Use one or the other, do not try to use both.) If you need to download the Centrify Suite DirectManage package, start here. Go to Step 2. Download Centrify Suite 2012 and select the iso or zip file for your 32- or 64-bit Windows platform. This page does not, however, offer the Agent packages you install on your UNIX computer(s).
Evaluation Guide
34
Centrify Suite 2012: This page offers for download the same Centrify Suite DirectManage packages available from the Evaluating Centrify Solutions page. For the evaluation system be sure to download the DirectManage Enterprise Edition, rather than the Standard Edition. As above, click on the link corresponding to your Windows platform processor architecture. In addition, use the links at the bottom of the box to get the Agent package. Choose Agents Disk to download a zip file/iso image that contains all of the Agent packages. Alternatively, click Choose System to just download the package for a single UNIX platform. You will need to install the package manually on each UNIX computer if you choose this option.
Notes
If you are installing on a Windows workstation running in a virtual machine, it is handy to download the iso image file and then use it as a virtual CD/DVD drive. For example, in VMware go to the Virtual Machine Settings. In the Hardware tab select the CD/ DVD (IDE) device and select the Use ISO image file radio button and browse for the iso file you downloaded. Be sure to check the Device status boxes too. During the installation, you are prompted to enter your license key. A 30-day license option is available free as a part of the installation program. Alternatively, a Centrify representative may have emailed a license key separately. When prompted, cut and paste the license key from the email into the form.
If you have not already done so, extract the files from the .zip version, burn a DVD from the iso image, or mount the iso image file as a virtual disk on your virtual machine.
35
3 Centrify DirectManage: Click Next to proceed. 4 Review License Agreement: Click the I agree to these term radio button and
Evaluation Guide
36
Click Next.
7 Choose Destination Folder: For the evaluation system, use the default. Click Next. 8 Disable Publisher Evidence Verification: For convenience, leave the default
The installation takes a couple of minutes and adds two icons to your desktop: Centrify DirectControl: The DirectManage Administrator Console
Deployment Manager: The program you use to manage the Centrify Suite software in the UNIX systems on the network.
11 Click Exit to close DirectManage installation. You will install the DirectAudit software
in Chapter 8, Audit: Set up the evaluation environment. This completes the Windows system DirectManage components installation stage. Do not start up the Administrator Console right now. Instead, proceed to Stage 2.
37
Manually, download the Agent package from the Centrify Customer Download Center, copy the file to your UNIX computer(s) and run the install.sh script. Go to page 51 for the instructions.
If you are installing the Agent software on a single UNIX computer, the manual method can be more expeditious, especially for UNIX administrators. The result is the same to both procedures.
Download Centrify Software: In this step you either download the platform packages from the Internet or specify the DVD source to your system. Analyze Your Environment: In this step, Deployment Manager analyzes your target computer environment(s) to confirm that they are Centrify Suite-ready and determine which package to use. Deploy Centrify Software: In this step, Deployment Manager installs the Centrify Suite package on your selected platforms
Evaluation Guide
38
The Deployment Manager Welcome window displays the four deployment phases.
Note The Deployment Manager is designed as a production system tool to help administrators with the ongoing maintenance and update of their Centrify-enabled UNIX systems. This eliminates the complexity for large scale systems but adds a few more steps to the evaluation system deployment process.
39
2 The program asks you to specify a list or have Deployment Manager find them for you.
Click the Discover computers from the network radio button and Next to have DirectManage identify all of the prospective UNIX computers in your environment. Alternatively, click the Add a single computer radio button to enter each computer individually.
3 The next screen lets you define the scope of the search.
By default, the program selects the subnet based on the Windows workstations IP address for the search. Click the other radio buttons to use different criteria.
4 It takes a couple of minutes (depending upon the size of your network) to discover the
computers. The program lists the UNIX computers it found (those it could ping) with the range of addresses you selected. (In my case, I have just one.)
Check the box for each UNIX computer upon which you want to install the Centrify Suite software.
Evaluation Guide
40
5 The next window lists any other computers it found in the subnet. Scan the list to see if
there were any other UNIX computers found. (Disregard any Windows computers it found; the sole purpose of the Deployment Manager is to identify and service the UNIX computers.) If other UNIX computers were found and you want to include them in the evaluation system, check the corresponding box. This window also lists all of the IP addresses in the subnet. If you know of any UNIX computers in the subnet that were not found (most often the cause is the machine is offline or turned off) AND you want to install the Centrify Suite package, check the corresponding IP address box to register each one in Deployment Manager. Deployment Manager only services the registered UNIX computers. You can run Deployment Manager at any time to find UNIX computers and deploy the Centrify Suite package. You do not need to install them all at this time.
Note
6 The program prompts you to specify the name of an account on the target computer(s)
that has sufficient privilege to make system changes. If that account does not have root privileges, check the box to specify a privilege command (see figure for an example), select su from the drop down menu, and enter the root password. In the next window, enter the password for the user name you specified. Click Next to finish each window.
41
If you specify multiple computers, Deployment Manager prompts you for the user name, privilege command, root password and user password separately for each computer. Deployment Manager then finishes its interrogation of the machine and updates the home page with the list of computers found. It takes a couple of minutes to finish. During the operation, Deployment Manager covers the affected icon with an hour glass; this is your indication that the procedure has not finished. For example, in this instance the hour glass is imposed upon the Computer icon (see the following figure.) Deployment Manager uses the same icon during the other phases. Click Finish when prompted.
Deployment Manager updates the Computer Statistics pane with an icon representing each UNIX computer and its operating system. Double-click on the icon to get the full information found. Deployment Manager also updates the All Computers branch with the host name (Redhat in my case). If you have more then one UNIX computer, double-click All Computers for the full list along with their information.
Evaluation Guide
42
Deployment Manager also looks in Active Directory for the users and groups in the computer and other UNIX properties. There are none at this point, but as you go through the exercises, open Deployment Manager to see how the tree is filled out. In a production system, Deployment Manager is a convenient tool to get a configuration summary from a variety of perspectives. This concludes the Build Computer List phase.
43
In this phase, you load the following Centrify Suite components into Deployment Manager. The DirectControl Agent: There is a separate Agent package for each combination of platform (for example, Red Hat Enterprise Linux, AIX, HP UX, etc) and processor architecture (x86 32-bit, x86 64-bit, PPC, SPARC, etc.).
The Analysis Tool (adcheck): You use adcheck from a UNIX console to perform operating system, network, and Active Directory tests to verify that a machine is ready to join the specified Active Directory domain. The output from adcheck includes, notes, warnings, and fatal errors, including suggestions on how to fix them.
Note
This book does not illustrate use of adcheck. See the Administrators Guide for the description or just try it out after you have installed the software on the UNIX computer.
The Agent packages are not included in the Centrify-Suite-2012-mgmt-ent-Win... file you installed earlier. They are provided separately. The Deployment Manager gives you two options for loading the packages: Customer Download Center: The Deployment Manager prompts you to enter your account and password. Then it looks at the UNIX computers found in Step 1 and automatically downloads the corresponding Agent and Analysis Tool. If you plan to use this option go right to step 1 on the next page.
Agents DVD: Deployment Manager prompts you to enter the location (directory or drive) that has the full catalog of the Agent and Analysis Tool packages for every combination of UNIX platform and processor. If you plan to use the Agents DVD option AND you do not have the physical disk, download the iso image or a zip file from the Centrify Customer Download Center before you begin Step 2. Use the following procedure to download the file and import the catalog. a Go to the Customer Download Center (from the Centrify home page click on the Support tab, select Customer Support Portal and then click the Customer Download Center link) and select AgentsDisk.
Evaluation Guide
44
b Click the blue download button to select either the zip or iso package. c Copy the zip file to the Windows system on which you are running Deployment Manager and extract the files or map the iso file to a logical disk accessible by the Deployment Manager. d Import the catalog of files into Deployment Manager. In the Deployment Manager window, right-click the Centrify Deployment Manager node in the left hand pane and select Import Centrify Product Catalog ... from the menu.
Change directories to the drive (logical or physical) or directory that has the unzipped files or virtual drive with the iso file, select the file centrify-productcatalog-offline and click Open. The import process begins immediately. It takes several minutes. When it is complete, a window pops up indicating Centrify Product Catalog imported. Click OK. Use the following instructions to load the Agent package(s) and Analysis Tool(s) into Deployment Manager.
1 In the Deployment Manager home screen, click the Step 2: Download Software ...
button.
2 The first window gives you the following options:
Download from the Centrify Download Center: To use this option, enter the email address and password for support center account. Then click Next>. The rest is automatic. Deployment Manager downloads just the Agent package and Analysis Tool corresponding to your UNIX computer(s) platform and processor. Copy from network or local drive: To use this option click the radio button and browse to the DVD drive (physical or logical) or directory with the unzipped files and click Next. The next window displays all the files that will be copied. Click Finish. Deployment Manager loads the Analysis Tools and Centrify Suite software for all of the options in the catalog onto your Windows system and updates the Download Centrify Software pane to show the software downloaded and platforms supported.
This concludes software download. You can see a list of the files downloaded by expanding the Software node in the left hand pane.
45
In this phase, Deployment Manager analyzes the selected UNIX computers to ensure it has the privileges to install software and determine if there is already any Centrify software installed. The following figure illustrates the state of my machine at this point. My Redhat computer is listed in Computers Not Analyzed.Unless you have Centrify software already installed (for example, you are upgrading from a previous version), your UNIX computers should be listed in this category.
Note
Recall that Deployment Manager is a system administrator tool. In production environment, the categories, fields and messages become quite useful for understanding and managing the state of systems. Click the Analyze ... button to proceed. Enter the Active Directory domain name and click OK.(You can ignore the Number of domain controllers to analyze to set up the evaluation system, it will not affect performance.)
Evaluation Guide
46
This takes a minute or two. The hour glasses covering the All Computers and RedHat in the Computers branch tell you that Deployment Manager is analyzing.
When Deployment Manager is done it updates the home page with the results of the analysis. Your results should look similar to the following figure with the exception your computers are more likely listed under Ready to Install rather than Ready to Install with Warnings.
47
You can continue to install the software on computers that are Ready to Install with Warnings. If you are curious about the warnings, click the chevron to list the candidate computers warning issue(s) and double click the issues to find out whats wrong.
Note
If the Analysis does NOT update the display, click on the History node in the tree for a list of the analysis sessions and right click on the most recent. Click the Trace tab for the details. This completes the Analysis phase.
Step 4: Deploy Centrify Software
In this phase, Deployment Manager deploys the Centrify Suite packages to the selected UNIX computers and installs the DirectControl Agent.
1 Check the UNIX computers listed under Ready to Install you want to use in the
evaluation system.
2 Deployment Manager displays a series of windows to refine which software to deploy. In
the first window, select the Centrify Suite Enterprise Edition. Take the defaults in the next two. HOWEVER, when prompted to Join Computer to Zone After Install UNCHECK the box. You join the UNIX computers in another exercise.
3 Click Next to proceed through the Select Edition and Select Suite windows.
4 In the Select Components window, you want Centrify DirectControl and Centrify
Evaluation Guide
48
OpenSSH: The package includes a compiled version of the latest OpenSSH distribution to make it easy for you to install and use SSH with Centrify Suite for secured authentication to Active Directory using Kerberos. This option is selected by default. It is, however, optional. If you do select it, the installation process configures the computer to use the Centrify OpenSSH in place of any existing OpenSSH already installed on the computer. See Appendix A, Using Centrify Suite with SSH for the configuration and testing instructions. If you do NOT want to install the Centrify OpenSSH, uncheck the box. Centrify NIS: The DirectControl Network Information Service is an optional addition to the DirectControl Agent. Once installed and running, it functions just like a standard NIS server, however it responds to NIS client lookup requests using the information stored in Active Directory. This option is NOT checked by default. If you want to evaluate the NIS support, check this box and see the instructions in Appendix B, DirectControl Network Information Service.
computers into Active Directory after install. You add the computer(s) later in the exercises.
During deployment, Deployment Manager updates the window to show activity. Notice that the hour glass covers the Computers branch and affected nodes.
49
When its done, Deployment Manager show a check mark next to the host name
At this point the DirectControl Agent and UNIX command line tools have been installed on each UNIX computer selected. In addition, since you selected the Enterprise Administrator suite option, the DirectAudit Agent and its UNIX command line tools are also installed. However, the UNIX computer is not joined to Active Directory.
Evaluation Guide
50
Go to the download center (from the Centrify home page by clicking on the Support tab and selecting Customer Support Portal. From that page click the Customer Download Center link and enter your account and password).
1 To download your agent select the Choose System link at the bottom of the Centrify
2 In the next window scroll down to your platform and select the option corresponding to
your processor. Notice that there are separate versions for Intel 32- and 64-bit processors. For example, the following picture shows the Red Hat Enterprise Linux options. The option for 32-bit Intel processors has x86 at the end of the file name; for 64bit processors the file name ends with x86_64.
51
3 In the next window, scroll down to the Centrify Agent Installer and click on the tgz file
listed in the Download column.This file contains both the Agent and the Analysis Tool for this platform.
tar on a Red Hat Enterprise Linux-based computer. The tgz file was copied to a directory named cs2012agent.
Evaluation Guide
52
If the computer already has an Agent installed (for example, a previous version) use the script to remove it. After the script completes the Agent removal, reboot the computer and run the same install.sh script again to install the new version.
Note
2 The script runs the adcheck command to confirm that the Agent can be installed. For
your evaluation system, you can ignore warnings. Failures need to be fixed before the script can complete the installation. To proceed with the installation, enter E to install the Enterprise Edition.
3 Enter Y to run adcheck to verify your AD environment.
Then enter the domain name on the Active Directory domain controller.
4 Enter N when prompted, Join
the Active Directory domain (Q|Y|N) [Y]:
Do NOT join the domain at this time. Be careful too, the default is Y.
5 The script displays the list of components that will be installed.The following figure
illustrates the prompts and the default selections. For most cases, enter Y to proceed.
The ONLY exception is if you plan to test the Centrify Network Information Service (NIS). See Appendix B, DirectControl Network Information Service for the description of the NIS option. If you want to install the NIS option, Enter N and then select each option individually.
Note
53
The script proceeds to run adcheck again, this time adding an analysis of the connection to the Active Directory domain controller, and then installs the components selected. This concludes the manual installation process on this UNIX computer. If your evaluation system has other UNIX computers, repeat this procedure on each one.
Evaluation Guide
54
Chapter 3
In the process, all of the UNIX users will have standard Active Directory accounts and the security groups will be standard Active Directory groups. In the exercises that follows, the UNIX computer is based on RedHat Enterprise Linux and named redhat and the Active Directory domain is named demo. It doesnt matter what brand of UNIX you are using or the domain name; just substitute your systems properties. IMPORTANT: The purpose of this exercise is to quickly illustrate the concepts and features you use to manage and provision your UNIX users. There are many more features and best practices that decrease your effort and simplify on-going maintenance that are not covered here. Please set aside some time to explore after you have completed the exercises in this chapter and the next. In this chapter you build the basic infrastructure: create an Organizational Unit for the UNIX users, groups and computers, create Zones, add users and assign rights for a subset of those users. In addition, you join the UNIX node to the Active Directory domain controller and login.
55
At this point you should have at least deployed the DirectControl Agent to your UNIX computer(s) and have the DirectControl Administrator Console installed on the Windows workstation. You do not need to have created any Zones or joined the UNIX computer to the Active Directory domain controller yet. The exercises are broken down into the follow sections: Create and delegate OU for UNIX
First time setup with the Administrator Console Add UNIX users and create Zones Create groups, add users, assign role Join UNIX computer to a Zone Log in to the UNIX computer Make machine-level adjustments Show Users
Whenever the instructions refer to Active Directory Users and Computers, this refers to the dsa.msc command on the Windows workstation. If you are running the exercise from the Windows Server rather than a workstation, this utility is available in the Administrative Tools menu.
Note
from accidental deletion and click OK. In the next steps, you create the organizational units for the service accounts, UNIX groups and UNIX servers. (The UNIX user accounts are in the domain Users container.)
4 Right click the UNIX organizational unit you just created (see picture), expand New and
Evaluation Guide
56
Accounts,
5 Right click the UNIX organizational unit again, expand New and select Organizational
Unit. Enter UNIX and click OK. Unit. Enter UNIX and click OK.
Groups, uncheck
6 Right click the UNIX organizational unit again, expand New and select Organizational
Servers, uncheck Protect container from accidental deletion
57
in account on the Windows workstation does not have an administrator level account in the Active Directory.) For example, double click on the DirectControl Administrator Console. The program displays the prompt on the left. When you specify the domain controller precede the domain name with the computer name.For example, in the image on the right the Windows Server computer name is win08 and the domain name is demo.com. In this case, the user is logging on using the Windows Server administrator account
The first time you connect to the Active Directory domain controller the DirectControl Administrator Console prompts you to perform some housekeeping chores, for example, set up the license repository and define some global Active Directory properties. This procedure is run just once: the next time you launch the Administrator Console you will not be prompted again; nor will you be prompted if you install the Administrator Console on additional workstations. In this series of steps you perform the one-time configuration setup.
1 If you have not already done so, double click on the DirectControl Administrator Console
and specify the Active Directory domain controller and the user account/password as illustrated above.
2 Welcome to the Centrify DirectControl Setup Wizard: Click Next. 3 User Credentials: Click the Specify alternate user credentials radio button only
if the Active Directory account you used to connect to the forest does NOT have enhanced rights. Then enter the user name and password for an account with root domain administrator or enterprise administrator privileges. Click Next to proceed.
4 Install Licenses: This window prompts you to specify the location for the license keys.
In this step you create the container in the UNIX organization unit for easy reference To see the Licenses container after you create it, checked the Advanced Features option in the Active Directory Users and Computers View menu.
Note
Do not use the default. Instead, click Browse, select the UNIX organization unit and click the Create... button.
Evaluation Guide
58
In the next window, keep the container as the Type and enter Licenses for the Name. Click OK.
When the program returns the Browse for Container window, expand the UNIX node and select Licenses and click OK.
Click Next to proceed. Click Yes to acknowledge the notification, All the user accounts in this AD forest will be granted ....
5 Install License Keys: If you did not receive either a license key or file by email from
Centrify, select the Install 30-day evaluation license key radio button. Otherwise, copy and paste the license key from the email or import the license file.
59
6 Default Container for Zones: This window selects the location for the default
container for the Zone data. Do NOT select the default. Instead, create a container in the UNIX organizational unit. This makes it much more convenient to manage the Zone information. Just as you did for the License container, click the Browse button to start. Next, select UNIX and then click the Create ... button. In Create New Object, keep the Type as container and enter Zones as the Name. Click OK.
When the program returns the Browse for Container window, expand the UNIX node and select Zones and click OK.
proceed.
Evaluation Guide
60
9 Setup Property Pages: As a convenience during the evaluation check the box. Click
Next to proceed
10 Summary: Click Next to proceed. 11 Completing the Centrify DirectControl Setup Wizard: Click Finish to proceed.
This concludes the one-time set up of the Zone data in Active Directory. Subsequently, when you launch DirectControl Administration Console, you will only be prompted to enter the domain controller and account information. Leave the DirectControl Administrator Console open for the time being. In the next steps you use Active Directory Users and Computers, however, after that you return to the Administrator Console.
Computers from the Start > Administrative Tools menu on Windows Server.
2 Add sample users: Right click the demo > Users organization unit, select New and
User and add the following users. (In a production environment, you would likely already have Active Directory accounts for your UNIX users.) For this exercise, enter them individually using the following names: Adam Avery
Brenda Butler Chris Carter Fred Thomas George Griffin Nina Norris
61
Simon Schuster
This process is more hands-on than you would use in your production environment. When you are ready to deploy, tools are available to import user and group information from your UNIX systems. You are prompted to enter the Full name and logon name. Use the following model:
For each user, enter the User logon name in the form first.last. In the next window, enter a password for the user. IMPORTANT: For convenience, Uncheck the User must change password at next logon box and check the Password never expires box.
3 Create an AD group for the UNIX users.
To simplify immediate and on-going user provisioning, you should create a separate AD group for the UNIX users in the UNIX Groups organization unit you created earlier.
Evaluation Guide
62
If its not open, launch Active Directory Users and Computer. Expand the UNIX organizational unit and right click UNIX Groups. Select New and Group.
Users
4 Select all of the users you added above, go to the Action menu and select Add to a
Enter UN and click Check Names to select the UNIX Users group and click OK. Open UNIX Groups organizational unit, right click the UNIX Users and select Properties. All of the UNIX users should be listed in the Members tab. In the next set of steps you create the Global parent and a child Zone and give the sample Active Directory users you create their UNIX identities.
1 If you closed the DirectControl Administrator Console after the forest
63
The program prompts you to specify a domain controller in the Active Directory forest.
How you respond to depends upon whether you are logged in to the Windows workstation using a local account or a domain (Active Directory) account.
where computer is the domain controllers computer name and domain is the domain name. After you enter the domain controller, check the Connect as another user box and enter the administrator (or equally privileged account name) and password. Domain account: Specify just the domain name (the computer name is not required). If this domain account has administrator privileges on the Active Directory server click OK. Otherwise, check the Connect as another user box and enter the administrator (or equally privileged account name) and password.
Fill in the Zone name (Global) and Description (Parent used in this example). Leave the Container radio button selected and click Next.
Evaluation Guide
64
In the following windows select the defaults: I want a hierarchical zone and Standard Zone. Click Finish to complete the process.
3 Create the FIN child Zone.
In DirectControl Administrator Console right click Zones > Global. Select Create Child Zone ... and enter a FIN for the Zone name and Finance Department for Description. Thats all you need for the evaluation. Click Next and then Finish in the next window. Expand the FIN Zone. Notice that, except for NIS Maps (see Appendix B, DirectControl Network Information Service for the description of NIS Maps) child Zones have the same Computer, UNIX Data and Authorization categories as the Global Zone.
In this step, you use the Centrify Zone Provisioning Agent (ZPA) to create the UNIX identities for the UNIX users in the Active Directory accounts. ZPA automates provisioning and makes it easier on a day-to-day basis to incorporate new employees with the UNIX identities using your existing Active Directory management tools and provisioning process. To begin, you need to set up the default UNIX properties ZPA uses to provision each user. The default properties are set in the Zone properties. In Centrify DirectControl Administrator Console right click on Zones > Global and select properties.
65
Select the Provisioning Tab and check the Enable auto-provisioning for user profiles box. For the evaluation system, set the values as shown in the following figure.
Click OK to set the defaults. The following table explains each property:
Label Source group Value UNIX Users@ centrify.demo Description This property tells ZPA where to look for the accounts to provision. Going forward, you just need to add new employees to this group to automate provisioning. To select the group, click the find icon. Enter UN and click Find Now to list the objects. Select UNIX Users from the list.
Evaluation Guide
66
UID
ZPA defines a unique identity number for each user based on the factor you select (see menu). Use the default value for the evaluation system. ZPA uses the option selected to define the UNIX account name. Note that users can login with the AD login name too. Use the default value. Replace the default property with this entry. In this case the entry lets the DirectControl Agent to define the default shell. (Since the default shell can be defined differently for each UNIX host its inconvenient to have to define it at the user properties level. When you use this entry the DirectControl Agent defines the default shell corresponding to the local host. You can modify this value if necessary in the DirectControl Agent configuration file.) Replace the default property with this entry. In this case the entry lets the DirectControl Agent to define the default home directory. (The reasoning behind this is the same as the shells: the home directory is platform dependent, and its easier to let the DirectControl Agent set it. Use the default value. ZPA assigns the users group ID based on the UID. Replace the default with this entry. In many cases the GECOS field is simply a comment field used to provide more information about the user. In this case, the entry illustrates another, common use: setting account values so that the UNIX finger command displays the users full name, department and office phone number in the Office field.
Login name
<SamAccountName attribute>
Shell
%{shell}
Home directory
%{home}/%{user}
You can override any users property if you need to. To conclude, you configure the ZPA and start the services. Once started ZPA automatically provisions users in the Global Zone upon periodic inspection.
67
Click on Start > All Programs > Centrify > Zone Provisioning Agent > Zone Provisioning Agent Configuration Panel to begin.
Settings: Domain: Confirm that the proper domain is displayed. Polling interval: Set to 10 Event log: Click the Write the UNIX profiles for the provisioned... radio button. Troubleshooting: Do not check. Service account: Enter Administrator and the administrators password. (In a production environment, you would set this to a service account which has delegated
Evaluation Guide
68
permissions to run as a service and has appropriate permissions to create and delete UNIX profiles in the Global Zone.) Click the Apply and then the Start button. The account you choose may not have Log on as a server rights. If you get the following error message, following the instructions to add the Administrator account to the Log on as a service properties.
Note
To see the results, in the DirectControl Administrator Console open Zones > Global > UNIX Data > Users. The right hand pane should have all the members of the UNIX Users group listed. If it does not, re open the ZPA and click the Restart button. (The members may not have appeared because the polling period had not ended. Restart forces a polling cycle.) In addition, right click in the pane and select Refresh.
1 Create the EntSA (enterprise system admins) and FinUser groups (Finance department
users). Open Active Directory Users and Computers. Expand to demo > UNIX > UNIX Groups and right click. Select New and the Group.
69
Enter EntSA as the Group name. Theres no need to change the pre-Windows 2000 Group name. Use the default Global Group Scope and Security Group type radio buttons settings.
2 Create the FinUser group.
Repeat the previous step, this time create the FinUser group.
3 Add users to groups.
Click the Members tab and then the Add button at the bottom of the page. For EntSA theres just one member - Fred Thomas. Enter Fred as the object name and click Check Names. Select Fred Thomas from the list and click OK and then OK again. Fred Thomas is now in the EntSA group. Click OK to exit. Right click on the FinUser group and repeat the process to add Brenda Butler, Chris Carter, and George Griffin to the group.
Evaluation Guide
70
Both groups are now staffed but the users have no rights yet.
4 Add UNIX properties to Active Directory groups.
This step serves two purposes: first you select the Zone in which that groups privileges apply and second you give the group its UNIX properties. Open the Centrify DirectControl Administrator Console. First, put the EntSA group in the Global Zone. Right click Global > UNIX Data > Groups and click Create UNIX Group. Enter E and click Find Now. EntSA should appear in the list. Select it and click OK. You are prompted to enter the group ID: enter 80000 and click OK.
For FinUser, the process is the same except you want to define the identity of the group in the FIN Zone, limiting the groups access controls to the UNIX systems joined to the FIN Zone only. Therefore, right click Global > Child Zones > FIN > UNIX Data > Groups and repeat the process to find and assign the GID 50000 to the FinUser group
The groups are staffed and in their Zones but the member still do not have any access rights. In this step, you grant access rights for the first time by assigning a role to a group. Begin with the EntSA role: In the Centrify DirectControl Administrator Console, expand Global > Authorization and right click on Role Assignments and select Add Group ....
71
As above, enter E in the Name field and click Find Now. Select EntSA from the list and click OK. Click Browse to get the list of available roles. There are two default roles:
login: gives the group members login rights to the computers in the Zone and listed: gives users no rights; however, it lets the user remain in the Zone for historical records
The next chapter illustrates how you create additional roles. Select login.
Notice in the next window that the role includes the scope of the access rights - Global in this case - and allows you to set a Start time and End time and other properties to customize the privileges. Use the defaults for the evaluation and click OK. This completes the role assignment for the EntSA group. Repeat to assign the FinUser group the login role. The process is the same except you start the process in Global > Child Zones > FIN > Authorization > Role Assignments. The following figure shows you the result. Notice that the Role scope is
Evaluation Guide
72
Run the adjoin command: You run this option from a console on the UNIX computer. See Run adjoin from the UNIX computer on page 76 for the instructions.
This procedure only works if you used Deployment Manager to deploy the Agent and Analysis Tools to the UNIX computer in Chapter 2, Setting up the evaluation environment (see Deployment Manager path on page 38). (If you manually installed the software on the UNIX computer, Deployment Manager does not yet know about that computer.)
If you did not use Deployment Manager to install the Agent and Analysis software on the UNIX computer, skip to Run adjoin from the UNIX computer below. Use the following steps to join your UNIX computer using Deployment Manager. You must be logged in with administrator privileges to use this command. Alternatively, you can specify another Active Directory account.
1 Start Deployment Manager. 2 In the left pane, expand the Computers node and select the computer you want to join
73
to Active Directory.
3 Right click and select Manage Zone ... .
4 In the Manage Zones elect Join Computers to Zone. 5 In the Active Directory Administrative Account window, if you are not logged in with
account with administrator privileges, click the Use another user radio button and enter the account name and password. Click Next>.
6 The Provide Join Options window lets you specify the Zone to join (a computer can join
only one Zone at a time) and the container for the information. For the eval system, you want to join the UNIX computer to the FIN Zone and First, select the Zone: Click the Zoned Mode radio button. Click the Browse button and, in the next window the Find Now button. This lists all of the Zones you have created so faronly Global and FIN in our case. Select FIN and click OK.
Evaluation Guide
74
Expand the UNIX container you created and select UNIX Servers. Click OK. Your Provide Join Options window should look similar to the following where demo is the name of your domain.Click Next>.
The next window prompts you again to enter another Active Directory account name and password. This time, however, it is only pertinent to those cases where the Group Policy set in Active Directory locks down use of the UNIX computer root account. This policy has not been set in the evaluation system so you can ignore this window. (See Set user mapping on page 116 for more about locking down a root user.) Click Next>. The last window summarizes your selections. Click Finish.
Deployment Manager attempts to join the computer. An hour glass is displayed over the Computers, All Computers, and selected computer while the join is in progress. When its done, you can confirm the join by selecting the Computers node to see the list of UNIX computers. Scroll to the right; the Domain and Zone data is now filled in. Repeat for all of the other UNIX computers you want to join.
75
When the UNIX computers join, they must specify the Zone. In this demo the Zone is
fin.
1 Join the UNIX computer
Login the UNIX computer using the root account or a named account and then switch to the root account. You use the Centrify Suite adjoin command to join. Its in /usr/sbin on the UNIX node. The adjoin command format to join a Zone is:
adjoin windowsdomain -z zonename -c container -u accountname
where
the name of the Active Directory domain on the Windows server zonename is the name of Centrify Zone container is the fully qualified name of the AD container in which you want the computer listed (recall that you created a separate organizational unit, UNIX Servers, for the UNIX computers). accountname is the AD account with root privileges.
windowsdomain is
For example, in this book, the domain is named demo, so the adjoin command would be as follows
adjoin demo -z FIN -c "demo/UNIX/UNIX Servers" -u Administrator
adjoin prompts you to enter the Windows Server Administrator password. adjoin displays the success message that indicates the Active Directory domain and the Zone. For our purposes, you can disregard the restart other services message. Open the DirectControl Administrator Console. Notice that your UNIX computer is now listed in the FIN child Zone. For example, in this figure the computer is named redhat.
Evaluation Guide
76
PuTTY remote session: PuTTY is a utility included in the Centrify Suite DirectManage package. (Its in C:\Program Files\Centrify\Centrify PuTTY.) You can use PuTTY to login to any joined UNIX computer from a joined Windows computer. Go to Login from Windows computer with PuTTY on page 78 for the PuTTY instructions.
77
members full Active Directory name; for example, login as Fred.Thomas (Freds full Active Directory name).
Enter the password and This demonstrates that the account authentication was in fact done on the Active Directory account rather than the localhost. Subsequently the user can use either the full Active Directory name or the UNIX name. (Try if out: logout and then login using the UNIX name you created for Fred.) All of the members of EntSA and FinUser groups (Fred Thomas, Brenda Butler, Chris Carter and George Griffin) can login because, as members of the group, they have login rights. However, the other UNIX users cannot login because they do not have login rights assigned yet. For example, log out from fredt and try to login as Adam Avery.
Enter the full Host Name for your UNIX computer beginning with the Active Directory domain; for example, Demo.redhat in this exercise. (For convenience, enter a name for this
Evaluation Guide
78
node in Saved Sessions and click Save so you can just double click on the name to begin subsequent sessions on this computer.) PuTTY opens a session and displays the login prompt. To start, login as brenda butler using her full, Active Directory name. Then enter her password. Notice that you entered the full Active Directory name. This demonstrates that the account authentication was in fact done on the Active Directory account rather than the localhost. Subsequently the user can use either the full Active Directory name or the UNIX name. (Try it out: logout and then login using the UNIX name you created for Brenda.)
For our example, lets say that Brenda already has an account on the UNIX computer under the user ID 33445. This means that when she logs on using her Active Directory account (which has her new UID), all of the files associated with her old ID will not be accessible. In this section, you modify Brendas account at the machine level to accommodate local requirements.
1 From the Centrify DirectControl Administrator Console, right click Global >
Child Zones > FIN > Computers > computername > UNIX Data > Users and select Add User to Zone ... .
2 Enter b and click Find Now to retrieve Brendas account info and click OK. 3 The program prompts you with Brendas UNIX attributes. Click all of the boxes. 4 Enter 33445 as the replacement UID.
The following figure illustrates the form after you update UID (notice that Primary group is automatically updated.
79
Show Users
After this change is made, when Brenda logs in to this computer she has the UID and Primary Group 33445; but only on this computer. On all other computers in the Zone, Brenda has her Global Active Directory UNIX attributes. If you did not check the other boxes (GECOS, Home directory, etc.) the account inherits the properties from the parent Zone.
Show Users
Use Centrify DirectControl Administrator Console to display the effective users in a Zone or for a computer. For example, right click on your UNIX computer (redhat in the exercise) and select Show Effective Users. Centrify DirectControl Administrator Console searches the Active Directory for the users with log in permissions to log into the selected in the selected Zone. The tabs in the lower window show you the selected users UNIX profile, role assignment and rights.
You can display the effective users for Zones and computers.
Evaluation Guide
80
Summary
Summary
In this chapter you created users and groups in Active Directory and then added UNIX properties, roles and rights using the Centrify DirectControl Administrator Console. In addition, you saw how to adjust a users UNIX attributes to accommodate machine-level differences. All-in-all, these rights granted are broad though and wouldnt work in a production environment. In the next chapter, you learn how to create new rights and roles and assign them to groups to give you the access rights precision you need.
81
Summary
Evaluation Guide
82
Chapter 4
In Active Directory Users and Computers, create two groups in the UNIX Groups organizational unit: FinWeb: Finance department administrators for an Apache Web server running on our redhat server. FinSA: Finance department administrator for the UNIX computers running Red Hat Enterprise Linux You use the same procedure to create these groups as you did to create EntSA and
83
these groups as you did to add users to EntSA and FinUser (see page 70): FinWeb: Add Nina Norris
and FinSA groups (see page 71). For FinWeb use GID 40000 and FinSA use GID 60000.
Expand Global > Child Zones > FIN > Authorization > Right Definitions and right click on Commands. Select the New Command ... option.
Evaluation Guide
84
See Script Example in Chapter 6, A&A: DirectManage UNIX adtools, for more examples of rights and how they are used in roles.
Note
Occasionally the department sysadmin needs to update configuration files on the UNIX machines, for example, the Centrify Suite configuration file - centrifydc.conf. Another example: an Apache server web administrator occasionally needs to modify the httpd daemon configuration file. In this step, you create commands that give users very specific privileges. In subsequent steps you see how to control where those privileges are exercised. To give, for example a sysadmin the ability to edit centrifydc.conf use the New Command form to specify the command name, description, form and other attributes. The following figure illustrates the first form.
Fill in the fields as shown above. Take a look at the Run As, Environment and Attributes tabs. These give you further controls over the use of the command. For this example, take the defaults and click OK. Right click Command to create two more rights (these two will be used in later steps to create the web administrator role):
Name httpd stop-start vi httpd Description stop and restart the httpd daemon Edit httpd conf file Command /sbin/service httpd* vi /etc/httpd/conf/*
Once you have your set of rights defined, you assemble them into roles.
85
In the next steps, you create a new role - FinDSA - and then define the rights available to users in that role. In this example, you assign the login (which gives you access to the PAM interface and vi httpd (one of the rights you just created).
2 Create new role
You start by creating the role. In this example you create the new role in the FIN Zone. This means this role is only available for assignment to users and groups in the FIN and its child Zones.To create a role in FIN expand Global > Child Zones > FIN > Authorization and right click Role Definitions. Select Add Role.
Enter FinDSA for the name and Finance Department system administrator for the description. Notice that you can set available times to limit the roles access to, for example, working hours only. Click the System Rights tab and, for convenience in the evaluation system, check all the boxes and click OK. In this step, you just created the role. The rights are attached in the next step.
3 Assign rights to role.
To assign the set of rights to a role right click on role under Role Definition and select Add Right ... .
Evaluation Guide
86
All of the rights available in this Zone are listed. For the evaluation system, select the login/FIN and the new commands you just created.
4 You now have a role with rights that you can assign to a user or group. In this step you
assign the role to the FinSA group (Finance department system administrators) Select Child Zones > FIN > Authorization > Role Assignments and right click. Select Add Group .... In name, enter f and click the Find Now to list just the users and groups that begin with F. Select FinSA from the list and click OK.
The program prompts you to enter the Role. Click the Browse button to display the roles available and select FinDSA, the role you just created. Click OK to select FinDSA and OK to finish. The members of the FinSA group now have the rights defined in FinDSA. To see the
87
change, click Show Effective Users in the FIN Zone. The FinSA member (Adam Avery) now appears in the list. Select Adam Avery and click the Role Assignment and Rights tabs for more detail.
In Active Directory Users and Computers right click UNIX Groups and create a new group called FinApache.
2 Create computer role.
Computer roles are created out of the Authorization category. In Centrify DirectControl Administrator Console expand Global > Child Zones > FIN > Authorization and right click on Computer Roles. Select Create Computer Role .... .
Enter the name FinApache and the Description as shown in the following figure. Click the down arrow and select <...> to pick the Active Directory group for this computer role. Enter f and click Find Now to filter the object search and select FinApache from
Evaluation Guide
88
Now you have the Computer role. However, within the role you do not have any group role assignments or member computers
3 Make FinWSA role definition.
In this step, you define a new user role and system rights to assign to the FinWeb group you created in the beginning of this chapter. In the DirectControl Administrator Console, select Global > Child Zones > FIN > Authorization > Role Definitions. Right click and select the Add Role... option. Enter FinWSA and add the description Finance department web system administrator. In the System Rights tabs, check all of the boxes. Back in the General tab click the Available Times button. This is how you would limit the hours in which the role is available. Try settings some times or click Cancel. Click OK and you are done with this step.
4 Add rights to FinWSA role.
You just created a new user role; in this step you assign the rights to the role. Select the new FinWSA Role Definition. Right click and select Add Right ... . In the Add Rights window use Ctrl-click to select the three commands illustrated in the following figure. (Recall that you added two of those commands earlier.) These rights let group members logon UNIX machines in the FIN Zone only, stop and start the httpd daemon and edit the httpd configuration file.
89
Click OK and you are done defining the rights for this user role.
In this step you select the FinWeb group and assign the FinWSA role to define a set of users and a precise set of rights for all member computers in the FinApache computer role. Select the Role Assignments option in the FinApache computer role. Right click and select Add Group ....
Click Find Now and select FinWeb and click OK. In the Add Access Group window, click Browse and select FinWSA.
Evaluation Guide
90
The only thing missing from the computer role are the member computers. In this exercise, you only add one. But in production, this is where you would add, for example, all of the computers that have an Apache server. This time, click Members under the FinApache role. Right click and select Add Computer ....
Enter the first letter of your UNIX computers name (for example, r for redhat) and click Find Now.Select your computer from the list and click OK. This concludes defining a computer role and a set of users and rights that apply just to the computers in that role. To demonstrate just in time provisioning, take a look at the FIN Zone effective users. First, select Global > Child Zones > FIN, right click and select Show Effective Users. Your window should look similar to the following:
91
Delegating Control
This shows the users with rights across all computers in the Zone. What you see are the members of the FinUser (Brenda, Chris, and George), EntSA (Fred) and FinSA (Adam) groups. Now, click the Computer drop down menu and select your UNIX computer (in this case redhat).
Notice a couple of differences: Another user is listed: Nina Norris. Thats because when you show the effective users for this machine only, it includes everyone in the Zone PLUS members of groups in the machine Zone. These users do NOT, however, have any access privileges outside the machine Zone.
Brenda has a different UID. Thats because you changed it in the machine Zone. This means that on all computers in the Zone other than this machine she is knows as UID 10002. But on this machine shes 33445.
You have now provisioned two groups to perform very different administration roles on the same computer, FinSA who can login and do the UNIX maintenance chores and FinWEB who can do the Apache server maintenance chores. Thats all their privileges allow. Try it out. For example, logon on to your UNIX computer as Nina Norris and edit the centrifydc.conf file. Go back to steps Step 1 on page 85 to create a new right and add it to the FINSA role. Logout Nina and login again and try the command.
Delegating Control
So far you have been the person creating Zones, groups, commands, roles, etc. However, in production you would want to delegate the functions to a group. You can delegate control at the global, child and machine levels. For example, select Global, right click and select Delegate Zone Control ....
Evaluation Guide
92
Delegating Control
In the Zone Delegation Wizard, click the Add... button. In the next window, instead of User, select Group from the Find: drop down menu.
Enter e in the Name: field and click Find Now. Select EntSA - the enterprise sysadmin group - and click OK. Click Next> and the wizard displays the set of tasks that control who can do what in the Global Zone. (You can do the same to delegate tasks separately in that Zone.) Take a look at the list. You can give one set of tasks to one group and different set to another. For example, the EntSA members can join a computer to a Zone, and add and remove users; however, the FinSA (finance department sysadmin) members can only add and remove users.
Click Cancel to proceed. You can also delegate control at the machine level. For example, right click on the computer in the FIN Zone and follow the forms to select a group (for example FinSA). After you click Next> notice that you have fewer tasks to delegate. Again, you can delegate different sets of tasks to different groups at this level.
93
Making Changes
Making Changes
You make account, access rights, and computer changes at the Active Directory administration level, not on the computers themselves.
Accounts
Adding and deleting users and placing users in groups can all be done within Active Directory. These are the sort of tasks more efficiently done by a helpdesk clerk using commercial GUI than your UNIX sysadmins. For example, to add a new administrator to the FinSA group with Active Directory Users and Computers, the clerk just selects the FinSA group, clicks Properties and clicks the Members tab. Similarly, it is easy changing a users privileges when they change jobs: when the authorization ticket reaches the helpdesk, the clerk just removes that person from one group and puts him in the new one. At no time in either step does the clerk need to modify or assign that users rights. When you delete a user, it is often desirable to keep the account around but remove all privileges. In this case, you would create a group, FormerEmployees, and give it the role assignment listed. This way, the user account properties are preserved and available for reports, but the user cannot do anything.
Rights
Rights are changed at the role level in DirectControl Administrator Console. After you create the new right, you select the role under Role Definitions and simply Add Right.... As soon as the right has been added, it is available to all users who are members of groups with that role assignment. Theres no need to make any changes at the account level.
Computer
Centrify Suite Zones and computer roles dramatically simplify the configuration and repurposing of UNIX computers. For example, when a new computer with the DirectControl Agent is joined to a Zone, group members with privileges in that Zone can access it without the tedium and potential mistakes of creating new accounts and assigning rights on the machine itself. If you need to constrain the rights of some users when they access the machine (for example, the FinSA admins described earlier), add the computer as a member to a Computer Role. Now, those group members with access assignments in that role can access it too. Repurposing a machine is similarly straightforward. To change Zones: adleave and then adjoin the other Zone
Evaluation Guide
94
Where to next
To change computer roles: remove it as a member from one and add it as a member the other.
You do not need to change the user accounts or access rights on the machine.
Where to next
You should proceed to the next chapter for the description of the DirectManage Report Center. However, if you use either any of the following for authentication and authorization there is additional information in the appendixes. Do you use a Kerberized OpenSSH the Suite for authentication? If soCentrify Suite includes a compiled version of the latest OpenSSH distribution to make it easy for you to install and continue to use SSH for secured authentication to Active Directory using Kerberos. See Appendix A, Using Centrify Suite with SSH.
Do your UNIX computers and applications submit lookup requests directly to a NIS server listening on the NIS port? Centrify Suite includes its own Network Information Service and daemon process to receive and respond to NIS client requests. See Appendix B, DirectControl Network Information Service to set up the daemon on a 98-managed computer to enable the local UNIX operating system to access NIS maps that are managed and securely distributed from Active Directory.oi
95
Where to next
Evaluation Guide
96
Chapter 5
The following topics are covered: Understanding DirectControl Administrator Console reporting
Running DirectControl Administrator Console reports Creating and modifying report definitions
97
Hierarchical Zone: These reports are for Zones created using Centrify Suite 2012. Use this series for all examples below.
You can customize the stock reports by filtering, grouping, sorting, and formatting the information included for the objects being reported on. You can also use the New Report Wizard to create your own custom reports. The results from any report can be exported in a variety of popular formats such as PDF, HTML, XML, and Excel.
Current. For example, to retrieve the current information for the Group Report, expand the Groups Report report definition, then click Current.
The first time you open a report the data is not fleshed out. Instead, the folders are listed. Double click on each result to load the item, in this case groups, in the Zone. After you have opened each item, it is added to the tree on the left.
Evaluation Guide
98
The results data is live allowing you to perform actions on it. For example, you can select an individual group in the results pane and right click to get the Zone properties.
definition you want to snapshot. For example, right-click on Groups Report and select Take a Snapshot. The report is saved under the tree and in the results pane. Double click on that to see the report.
99
This figure showed the default report format. Click Report menu and then select Format ... to reformat the display. The following figure illustrates your formatting options. You can print from this window.
Report Center.
2 Click New Report Wizard.
3 Enter a name and optional description for the report. For example, User Report Finance
Evaluation Guide
100
4 The drop down menu lets you select, at the highest level the basis for the report. For our
example, scroll down and select Zones. Typically, reports retrieve data for opened Zones because reporting on all Zones can drastically impact performance. However, later on in the wizard you will filter the report to retrieve data for a Zone only, so you do not need to worry about performance. By selecting Zones rather than Opened Zones, you can report on the Finance Zone whether its open in the console or not.
Note
Click Next.
5 Select Yes to relate the Zone to other objects. In the drop down menu scroll down and
select (Yes, Zones that:) contain Zone Users from the pull-down menu. Then click Next.
Select Zones in the Objects box, then select Name in the Properties box (it should already be selected). Select Zone Users, then select AD User, Name, and UID. Then click Next.
8 You can create a filter in the next window. However, since you dont have many users
The program adds the new report to the Report Center tree. In the Console tree, expand User Report Finance Zone, then right click Current and select Display Report.
Notes
If you see a report with headings but no data, it means there are no users in the Zone. (Recall, for example, that all of the users are in the global Zone.)
101
If you need to add a user to a Zone, you can do it from the Report Center. Right click the object in the results pane and follow the by now familiar procedure to select the domain, filter for a particular user and select the user. This option also gives you the opportunity to define/modify the users UNIX profile and assign them a role.
If you make changes, click Report Center, right-click User Report Finance Zone, and select Refresh. Then double-click the Finance object to see the report with the newly added users.
Evaluation Guide
102
Chapter 6
adquery user:
List the UNIX users in the Active Directory Zone. List all of the UNIX groups in the Zone.
Display join attributes. Change an Active Directory accounts; for example, delete a user or group.
Deploy immediately any changes you have made to a Group Policy Object (see Chapter 7, A&A: Active Directory Group Policy Controls to learn how to change Active Directory group policies).
adpasswd:
In addition, the Centrify Suite installation package includes two other useful commands: dzinfo: Use this command to display the current logged in users attributes: user name role name and effective rights PAM application any privileged commands whether she is forced into a restricted environment dzdo: Use this instead of sudo when you enter the privileged commands.
See the Centrify Suite, Standard Administration Guide for the full explanation of the ad commands.
103
ADEdit overview
In addition, Centrify Suite includes ADEdit, an Active Directory editing tool you run from a UNIX computer in the network. ADEdit is designed for administrators who have traditionally administered their systems from UNIX scripts or UNIX CLI and includes a scripting language so administrators can build their own sets of commands. The rest of this chapter introduces ADEdit and describes its major features. We also include a ADEdit script that replicates and expands upon the configuration of UNIX users, groups, roles, etc. you created in the earlier chapters. For the full description of the ADEdit commands and library, see the Centrify Suite ADEdit Programmers Guide provided in the distribution package Document folder.
ADEdit overview
ADEdit provides a command-line interface from a UNIX computer that gives you complete control of Active Directory objects based on the rights of the users account in Active Directory who is running the ADEdit command. You can modify every aspect of operation that the DirectControl console offers and build scripts that automate the maintenance functions. A knowledgable UNIX administrator can use ADEdit alone for complete DC administration. ADEdit has two basic components: the ADEdit application
ADEdit accepts and executes Tcl script files that include the ADEdit commands (see the ade-lib library description). You can run the script from the adedit command interface or as an executable file on the UNIX platform ADEdit binds to one or more Active Directory domain controllers. ADEdit can query AD for data within bound domains, retrieve AD objects, modify those objects, create new objects, and delete existing objects. Those objects include all DirectControl-specific objects such as Zone objects, Zone user objects, role objects, and more.
Evaluation Guide
104
ADEdit overview
ADEdit application
ADEdit uses Tcl as its scripting language. Tcl is a long-established extensible scripting language that offers standard programming features and an extension named Tk that creates GUIs simply and quickly. The Tcl scripting language includes full programming logic with variables, logical operators, branching, functions (called procedures in Tcl), and other useful program-flow features. ADEdit includes a Tcl interpreter and the Tcl core commands, which allow it to execute standard Tcl scripts. ADEdit also includes a comprehensive set of its own commands designed to manage DirectControl, DirectAuthorize, and Active Directory. ADEdit will execute individual commands in a CLI (in interactive mode) or sets of commands as an ADEdit script.
ADEdit commands
ADEdit offers a comprehensive set of commands, grouped into the following categories:
105
ADEdit overview
General-purpose commands
ADEdits general-purpose commands control ADEdits overall operation and provide information about ADEdit: they provide help text for commands, set the LDAP query time-out interval and quit ADEdit.
Context commands
Context commands set up and control the ADEdit domain context. You bind to a domain to set the context for subsequent object management commands. The other context commands report current bindings, show current bindings and selected objects, and push and pop contexts off the ADEdit context stack.
Object-management commands
Object management commands are the core of ADEdit. They let you do all of the operations performed in Active Directory Users and Computers and the DirectControl Administrator Console via command entries from the ADEdit prompt. The following list summarizes the commands by object: Zones: Create, select and delete Zones. Additional commands in this category let you list child Zones, display and set Zone field values and assign Zone rights to a user or group.
Computer roles: Create, select and delete computer roles in the selected Zone. Additional commands in this category let you examine and modify computer roles and associate computer roles with role assignments. Zone users, groups and computers: Create, select, and delete user(s), group(s) and computer(s) in the selected Zone. Additional commands in this category let you examine and modify the user, group or computer attributes. Commands, User Roles and Role Assignments: Create, select and delete rights (commands), roles and role assignments. Additional commands in these categories let you assemble a set of commands into a role and assign a role to a user or group. Use these commands list rights, roles and assignments and modify existing definitions too. PAM applications: Create, select and delete PAM application objects. Additional commands in this category list the PAM applications in the Zone and let you view and set PAM application fields. NIS maps: Create, select and delete NIS map objects in the selected Zone. Use other commands in the category to list and examine map entries. Generic Active Directory objects: Create, select or delete Active directory containers, users and groups Use the other commands in this group to view and modify object attributes.
Evaluation Guide
106
Script Example
Utility commands
Utility commands perform useful data retrieval and data conversion tasks. They convert domain names and security principal names from format to format and they manipulate distinguished names. They check with Active Directory to convert between user principal names (UPNs) and distinguished names. They query Active Directory for local users, look up users by UNIX name, look up security principals by security IDs (SIDs), and convert SIDs to escaped strings. They also return information about users, groups, and group membership and set user passwords.
Security descriptor commands
Security descriptor commands modify security descriptors and make them readable by humans.
Script Example
You could have used an ADEdit script to create the environment described in the A&A chapters. The Centrify forum has an ADEdit script you can download that shows how to create the Zones, users, groups, roles, rights, etc. you created earlier. In addition, the sample expands upon the elements to give you a richer environment to continue your evaluation. To get the script, link to the following url
http://www.centrify.com/evalsetup
and download the tgz file. Copy the file to any UNIX node that has the DirectControl UNIX tools and use the hosts commands to unpack it. For example, if the UNIX host is running Red Hat you would use the following commands
#gunzip Centrify-Suite-Eval-Script.tgz #tar xvf Centrify-Suite-Eval-Script.tar
This extracts the file adsetup-evalguide.sh from the tar-file. The remainder of this section describes how to run this script. We strongly recommend using this script as a part of your evaluation. See Inside the script on page 111 for a description of the scripts elements.
Note The script is updated often. Some elements, such as users or groups, may not match exactly the description that follows.
Run script
If you have any open instances of Active Directory User and Computers and the DirectControl Administrator Console you do not need to close them. However, be sure to refresh after running the script to update the display
Note
107
Script Example
To run the script, change to the directory in which you unpacked the file and enter the following command. You will need the Windows Server Administrators password to complete the operation.
-./adsetup-evalguide.sh -d [your domain] -o [ou=baseOU] -u [Administrator or
privileged account]
-o is the base organizational unit; enter the base name in the form ou=name -u is the account name
For example, the following picture shows the command you enter based on the exercises so far (domain = demo, base ou = UNIX, and user = the Windows Server Administrator). The picture also shows the messages displayed by the script. (These messages may change with new releases of the script.)
The following figure illustrates the Zones, users, and groups created by the script. Its an expansion upon the users and groups created in the exercises. To see the additions, open Active Directory Users and Computers: the new groups are in domain > UNIX > UNIX Groups and the new users are in domain > Users and domain > UNIX > UNIX Groups > UNIX Users.
Note Since the script adds the users to the UNIX Users group, the Zone Provisioning Agent automatically assigns the UNIX properties to each account.
Now, open the DirectControl Administrator Console. Notice that the new Marketing groups (for example, MktgSA, MktgUser and MktgWA) do not appear in the mktg child Zone Groups, only in Role Assignments. This is because you need to add the UNIX attributes to Active Directory groups ONLY if you are going to use the UNIX group ID for access controls on the UNIX file system. If you are not using the UNIX GID for access controls on the UNIX file system, you do not need to add the UNIX properties to an Active Directory group. Instead, all you need to do to define group members access rights is make the Role Assignment in the DirectControl Administrator Console directly to the Active Directory group. In addition, notice that there is a EntApache computer role in the Global Zone. This was added to demonstrate how the hierarchical model applies to computer roles. For example, the EntApache computer role would include as it members all of the computers in the
Evaluation Guide
108
Script Example
FinApache and MktgApache roles. This grants the EntSA group members access rights to all computers in both of the roles. However, FinWeb members can only access the computers in FinApache. This also makes adding a machine to a computer role easy: After it has joined the finance Zone, just add it as a member to the FinApache group. Instantly, all members of the EntWA and FinWA have their group access rights.
The example script expands on the foundation created in the earlier chapters in two basic areas: Adds the mktg Zone
109
Script Example
For example, expand Global > Authorization > Right Definitions > Commands. These commands were created in the script in the Global Zone so that they would be available for role definitions in the Global and any child Zones.
Alternatively, if you wanted commands that were just available within a specific Zone, you would define them in that Zone alone. Similarly, the script added several PAM access applications to the global Zone. The users in each Zone may need only one of them, but it is convenient to have them all in one place.
This Zone also demonstrates how precisely you can define a role. For example, click on the WebAdmin role.
Evaluation Guide
110
The purpose of a role is to define very precisely what users can do; in this case, users and groups with the WebAdmin role can only do the commands listed in this figure. The script makes the role assignment to the MktgSA group in the MktgApache computer role.
This limits the computers on which the group members have the authorization to use these commands to just the MktgApache role member computers. You can use the same rights and roles for other groups too. For example, you could assign the WebAdmin role to the FinWeb group in the FinApache computer role. This would give FinWeb group members the same privileges, however, they would only be able to exercise those privileges on the computers in the FinApache computer role.
The script anticipates that you have already created the UNIX, UNIX Groups and Service Accounts organization units and the UNIX User group. Create Zone structure (76): Creates the Global, FIN and mktg Zones. In this example, however, the create commands for Global and FIN are commented out since they already exist.
111
Create AD users (91): Creates the Active Directory accounts for all of the users. In the DirectControl Administrator Console, see Global > UNIX Data > Users for the fill list of users. If you want to try logging in as one of these users, all accounts are assigned the same password, testTEST1234.
Add all users to out Global Zone (123): Adds each user to the Active Directory UNIX User group. Because the Zone Provisioning Agent service is running, the names are automatically provisioned and added to the Global Zone. Creating Groups for the users (150): Creates the Active Directory Groups and adds the user(s) to the group. Notice in the commands that the groups are added to the UNIX Groups organization unit. Create Computer roles (201): Creates a new Active Directory group (in this case in the UNIX Groups OU) and then creates the computer role in the target Zones. Create command rights in the Global Zone (232): Creates each of the command rights in the Global Zone. You can create rights in any Zone; however, they are only available to roles in that Zone or lower. Create PAM rights (289): Creates each of the PAM application rights. Create user roles (314): Creates the WebAdmin, and SysAdmin roles and adds the rights associated with each role. Perform the Role Assignments (349): Assigns the roles just created to the groups created earlier.
For more information on the commands and syntax, see the Centrify Suite ADEdit Programmers Guide.
Evaluation Guide
112
Chapter 7
Adding Centrify Suite group policies for UNIX Group Policy Examples
113
computers. These group policies are then enforced any time a computer with a policy applied starts up, at a policy-defined periodic interval, on-demand when you run an update command, and when users log on. Centrify DirectControl provides its own administrative template for UNIX-specific group policies to complement the limited number of Windows group policies that can be applied to UNIX users and computers.
The Group Policy Management Console allows you to create new Group Policy Objects, link Group Policy Objects to sites, domains, and organizational units, delegate group policy permissions to specific users and groups, and perform other tasks.
Make sure you have the Microsoft Standard Suite console or at least the Group Policy Object Editor snap in installed on the Windows workstation. The examples below illustrate use of the Group Policy Object Editor. To use the Centrify Suite group policies for UNIX, you must add the Centrify Suite Administrative Templates to the Group Policy Object you want to work with. To add the Centrify Suite Administrative Templates to the Default Domain Policy:
1 Log in as an administrator on a Windows computer where you can perform
administrative functions.
2 Start the Group Policy Object Editor by clicking Start > Run and typing gpmc.msc.
In this step you create a new Group Policy Object to link to the demo domain. Expand Domains and right click the domain you are using for your evaluation system (demo if you have used our domain name). Select the Create a GPO in this domain ... option.
Enter Eval
system
Evaluation Guide
114
3 Right click the Eval system policy you just created and click the Edit... option.
4 In the Group Policy Management Editor window, expand the Policies node and right
The Open window lists a set of templates. First, select centrifydc_settings and click Open.
6 Repeat Step 5 and this time select centrify_unix_settings and click Open. 7 Repeat Step 5 and this time select centrify_linux_settings and click Open.
These are the only templates used in this exercise. If you would like to see the other policies (for example, there are extensive settings for Mac OS) click Add again to select more templates for review.
8 Click OK.
115
These steps added a comprehensive set of DirectControl policy settings you can apply with the Group Policy Management Editor. The following figure illustrates the window with the DirectControl options. The remainder of this chapter illustrates how to set several common policies
Evaluation Guide
116
5 Select the Administrator and click OK. (You can leave In zone: blank in this exercise.).
117
The Set user mapping policy is now enabled, and the root account for the UNIX nodes is mapped to the Active Directory domain controllers administrator account. Double-click on Set user mapping to view the new properties or add more user mappings.
Evaluation Guide
118
SSH settings
The Centrify Settings is also a convenient way to enable SSH settings. For example, expand the SSH Settings tab and click on the following policies to enable or disable. Click the Explain tab for more details on each option Prevent root login: This policy lets you prevent the UNIX computers root user from logging in. The following figure illustrates how to enable the Permit root login policy to prevent root login.
When you enable the Permit root login policy, you can control the roots access method, including preventing access entirely. However, enabling this option may complicate your evaluation. Leave it for another time. Enable PAM authentication: Set this policy to enable PAM authentication, account processing and session processing. Allow GSSAPI authentication: Specifies whether authentication based on GSSAPI may be used, either using the result of a successful key exchange, or using GSSAPI user authentication. Allows GSSAPI key exchange: Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange does not rely on ssh keys to verify host identity. Specify client alive interval: Set a timeout interval in seconds after which, if no data has been received from the client, sshd sends a message through the encrypted channel to request a response from the client (see figure). Specify maximum client alive count: Sets the number of client alive messages which may be sent.If no response is received by the count sets, sshd terminates the session (see figure).
119
Note
Use the Specify client alive interval and Specify maximum alive count to set the inactivity timer. For example, in this illustration the inactivity time is set to 15 minutes.
Firewall rules
Another useful policy is Linux Settings > Specify basic firewall settings. Enable this policy to define a set of rules for a simple exclusionary firewall.
When you enable the policy you are prompted to enter rules that control input and output. The rule format is
Name:Type:Protocol:Port:Action
where
Name
Evaluation Guide
120
Type
is either INPUT or OUTPUT. Use INPUT to block the incoming port and OUTPUT to block the computer from sending on that port. should be one of tcp, udp, icmp, or all. is the port number. is either ACCEPT or DROP.
Protocol Port
Action
If you just enable but do not specify a rule, the firewall default allows all outgoing traffic but blocks all inbound traffic except ssh and ping. The following figure illustrates the firewall settings with the default set and a rule that allows web server connections to the machine.
This concludes the introduction to the Centrify Suite authentication and authorization components and services. Continue your introduction with the DirectAudit installation and introduction in the next chapter.
121
Evaluation Guide
122
Chapter 8
These components are introduced in Chapter 1, Start Here (see DirectAudit Components on page 18). For expediency, the installation process described below installs all of these components on the Windows system. This includes a copy of SQL Server Express used for the Audit Store and Audit Server. In a production environment, these would be distributed across different nodes and have redundant elements.For more in-depth descriptions of the components and your configuration options, see the Centrify DirectAudit Administrators Guide.
123
Note The DirectAudit package includes SQL Server Express and, for convenience only, the instructions tell you to install it. If you already have SQL Server installed on one of your systems you can specify that instead. Alternatively, the installation process includes a link to the Centrify website from which you can download other SQL server options
Installs SQL Server Express and creates the DirectAudit Audit Server and Audit Store databases. Installs and configures the collector. Installs the Auditor and Administrator consoles.
Part of the DirectAudit installation is already complete. When you selected the DirectAudit components in the Suite installer, the Deployment Manager installed the DirectAudit Agent and UNIX command line tools on the UNIX computer(s) selected. This procedure automatically installs SQL Server Express and creates new Audit Server and Audit Store databases as a convenience to those who do not already have a SQL Server on their network. If you want to use an existing SQL Server, see the DirectAudit Administrator Guide for
Evaluation Guide
124
the instructions. Also note that if you use an existing SQL Server to create the Audit Server and Audit Store databases DirectAudit uses TCP port 1433 (the default) for communications. If you use an existing SQL Server and it uses a different port, see the DirectAudit Administrator Guide for the configuration instructions. Before you begin the installation, make sure your Windows system and UNIX computer(s) are joined to the Active Directory domain controller and you are logged on to a domain account.
125
3 Click Next from the Centrify DirectAudit Setup window and accept the terms. 4 In the Select Components window, select all of the components (the default).
looks like this. Scroll through the summary to see the results. Make sure the box Launch Configuration Wizard (circled in figure) is checked. Click Finish.
Evaluation Guide
126
Then click Exit in the Getting Started window to close it. You are done with that part of the installation. This concludes the installation; however, configuration is not yet complete.
Configuration
The Welcome ... reminds you about the privileges you will need to have. Click Next in the Welcome window.
important when you have multiple installations (separate sets of audited systems collectors, audit servers, etc.) For this exercise, enter Evaluation (case sensitive).
127
2 Specify database: Unless you have a database already installed and want to use it as a part
of the evaluation click Next to use the default, Install a new SQL Server Express .... If you want to use an existing database, check the other button and browse for it.
3 Select SQL Server package: The default Setup package is the SQL Server Express
included in the distribution. Click Next to accept the default. If you have another package you would prefer. Browse for it. For a production system, you can also download SQL servers from the link shown.
4 Open port in firewall: The Collectors use TCP port 5063 to get the data from the audited
terminals. Normally, this port is not open. Click Yes to open it. The program proceeds to set up the configuration. This can take a few minutes, especially if you are installing the database.
Evaluation Guide
128
Click Finish when prompted to exit the installation. The installation creates a service connection point in Active Directory. (In Active Directory Users and Computers, select View > Advanced Settings and expand Program Data.) It displays a Summary window that lists the properties. This concludes the DirectAudit installation and configuration on the host Windows workstation(s). Proceed to the next section if you want to audit more Windows workstations. Otherwise, skip to Replay example for audit session example
The DirectAudit Agent is different for 32- and 64-bit systems. If your target Windows DirectAudit Agent computer has a different processor architecture, download the other Enterprise edition from the Centrify Download Center and use the DirectAudit Agent from that package.
To install the DirectAudit Agent go to Centrify-Suite > DirectAudit >Centrify DirectAudit Agent Msi and launch Centrify DirectAudit Agent.msi. Or copy the file to the target Windows system and launch it. When prompted, accept the terms and enter another directory if the default does not work for you. The wizard installs the DirectAudit Agent software and, by default, launches the Agent Configuration Wizard (see the Run Agent Configuration Wizard checkbox in the Wizards Finish window.) The configuration Wizard prompts you for three properties: Color quality: Choose a lower color quality to use less space per session.
Offline location: The folder the Agent uses to store session data when the Collector is offline. Setup DirectAudit Installation: The Wizard queries the Audit Server for all existing DirectAudit Installations. At this juncture, you have just the one you created above; select it.
When its done, the Wizard starts capturing the session activity immediately. Repeat the DirectAudit Agent installation on all of the Windows systems you want to audit.
129
Replay example
Replay example
The DirectAudit Agent on the Windows computer(s) captures session activity from the time of installation. You can replay your session activity to see how DirectAudit works on Windows computers. Double-click on the DirectAudit Auditor 2012 Console on the desktop. The sessions are organized by when the session occurred (for example, Today, Yesterday, This Week or This Month) and other properties. The next chapter describes the different categories. The Windows workstation session is in two places: Today and Active. Click on Today. Your display should look similar to the following (you have different Today sessions).
Evaluation Guide
130
Replay example
Double click on the session. It takes a couple of seconds for the session to be retrieved from the database. Your display will be similar to the following:
The play bar along the bottom shows the progress through the events. You can also click on the events to jump to that sequence. The next chapter explains more about the replay controls. This concludes the installation chapter. The next chapter describes how to set up sessions, the replay controls, and managing the sessions.
131
Replay example
Evaluation Guide
132
Chapter 9
Auditor Console Direct Audit UNIX Utilities Queries Windows Start-menu utilities Administrator Console Close sessions Where to next
directly.)
2 Configure computer for the installation: Enter the following command to configure the
where Evaluation is the installation name you entered during set up in the previous chapter. If you entered a different installation name, enter that instead.
3 Start session: Run the following command to enable (-e) auditing on all shells (-a) on this
machine:
# dacontrol -e -a
133
Auditor Console
This command captures the input and output for all shells available on the machine. There are other commands that for example, set the trace on specific commands only or on specific users. See Direct Audit UNIX Utilities on page 139 below for an introduction to these commands.
4 Run the dacontrol command to verify that auditing is enabled for all shells. You should
Note When you enable auditing, Centrify Suite links each audited shell to the cdash shell, which is a wrapper that enables Centrify Suite to record activity on the shell.
5 Logoff and then login to the computer. The session does not start until the user logs in.
Auditor Console
You use the Auditor console to view and manage recording sessions.
Evaluation Guide
134
Auditor Console
At this point, DirectAudit is monitoring at least two systems: the Windows workstation (win7.test.co)and the UNIX computer (redhat.test.co above). Your display likely has different computers and sessions. In this figure, the Today search is selected - a list of all the sessions that were initiated and continue or ended since midnight. The Yesterday, This Week, and This Month searches accumulate the sessions as time goes by. IMPORTANT: Right click in the view and choose Refresh every time you change views. This forces a query to the data base to update the data displayed. Click the Active Sessions to see the current, on-going sessions. (This view eliminates the Today sessions that have closed.)
You are prompted to enter a comment and click OK. Now, click Sessions to be Reviewed, right click inside the pane and choose Refresh. Select the session and right click. Your options are as follows: Replay: Opens a new window that shows event list and reproduces the corresponding display.
Indexed event list...: Opens a window with the just the session events. Use this window to start the replay at a specific event. Properties: Opens a window with the sessions properties: General, Review Status and Comments. The Review Status tab shows the most recent status change. The Comments tab shows you all comments already entered and lets you make additional entries.
135
Auditor Console
Update Review Status: Displays a menu (the same one as in the above figure) of the Status options.
None: The session is not review- or action-worthy. Pending for Action: Route this session to the Session Pending for Action list rather than the Sessions to be Reviewed list. Reviewed: The session has been reviewed. To be Reviewed: The session is open for review.
The status you select is shown in the Review Status field in the line item display. (Scroll to the right to see the Review Status field. You can re-arrange the columns to make them more convenient too; just click then drag to the preferred location.) Help: Displays help for the current session.
To complete this exercise, select the session in Sessions to be Reviewed, click Update Review Status and this time select Pending for Action. Right click in the pane and select Refresh. The session is no longer listed in this set. Select Sessions Pending for Action, right click in the pane and select Refresh. The session now appears in this list. Subsequently, if you changed the sessions Review Status to Reviewed to indicate that the action had been completed, the session would be removed from this list and listed solely in Today, This Week, or This Month. Where the session resides depends only upon the Review Status you assign.
Note
Replay options
This section describes how you control the playback. The following figure illustrates a Windows replay session with the magnifier on. The basic controls described next are the same for a UNIX session, however, the information above the controls in the left pane is different. The Play button changes to a Pause button when the session is playing, and vice versa.
Click the Speed button to fast forward at different rates. The dark blue time bar across the bottom of the window represents the total session time line. The Timepoint needle shows you the current location in the session. You can drag the needle to any point in the session. The light blue shading in the time bar indicates the segment of the session that is currently in memory.
Evaluation Guide
136
Queries
The Real-time icon to the right of the time bar indicates that the session plays in a smooth time sequence. If you want to play back the session moving swiftly from one user action to the next, click the icon to gray it out. The Session point indicates the date and time of the Timepoint needle.
The magnifier appears as a magnifying-glass pointer in the replay pane. You click to magnify and click again to revert to the pointer.
Queries
Today, Yesterday, This Week, UNIX Password Access, Windows MMC tools, etc. are just a set of predefined queries. Each query searches the Auditor database for sessions that meet the criteria. Right click on any of a query and select the Properties. To see the search criteria, open the Definition tab. You can write your own queries to specify the criteria that sessions must meet to be returned by the Auditor console. This section takes you through the steps to create some custom queries.
Query.
2 In the query builder, type Unclassified
sessions
sessions marked
137
Queries
3 Keep the default for type of session (both UNIX and Windows). 4 Since you do not have many sessions yet leave Group by: and Order by: boxes
unchecked.
5 Click Add to add criteria. Select review from the Attribute drop-down menu, highlight
None,
= None
6 Click Add again. This time select time, select the bottom radio button, Is
and in
week.
7 The Criteria pane should show both rules. Click OK to complete the query build.
In a moment or two, your query appears as a node under the All Shared Queries node.Click the Unclassified sessions to get the results.
jean john
return any data fields that contain the string jean and the string john return any data fields that contain the string jean or the string john return any data fields that contain the exact string jean john
Evaluation Guide
138
DirectAudit examines user, machine, time, module, and text for a match with the quick query string you typed. You can later edit a quick query by highlighting its node in the left pane and selecting Properties from the context menu. You can change the name and add a description on the General tab. The Definition tab already includes the query type, group, order and criteria you defined in your query text. You can edit these using check boxes and lists, just as you do with private and shared queries.
dad: start or stop the DirectAudit daemon (dad) directly dadebug: enables/disables debug logging for dad. dareload: forces dad to reload configuration properties from the DirectAudit configuration file on the UNIX computer and apply changes without restarting dad. dadiag: displays detailed information about the configuration and current auditing status. dainfo: also displays detailed information about the configuration and current auditing status. For example, to get in-depth information about the session: enter dainfo -d. Your display will have similar contents to the following. The significant lines are highlighted and explained below.
# dainfo -d Establishing connection with dad: Success (1) Dad's online status: Running (2) Dad's current Installation: 'DefaultInstallation213' (configured locally) Dad's current Audit Store: Default-First-Site-Name@jeff.domain.test3AuditStore Dad's current Collector: WIN7PRO64.jeff.domain.test3:5063:HOST/ win7pro64.jeff.domain.test3@JEFF.DOMAIN.TEST3 Dad's offline db size: 86.00 Bytes Getting offline database information: Size on disk: 8.00 KB Database filesystem usage: 4.16 GB used, 7.34 GB total, 3.17 GB free Machine IP address: 172.27.14.228 Machine is joined to jeff.domain.test3 Machine is in site 'Default-First-Site-Name'
139
Pinging adclient: Available (3) Installations: DefaultInstallation213 Active Directory Object: jeff.domain.test3/Program Data/Centrify/ DirectAudit/Vegas-Installation-85adf0a1-6b88-4f3f-8796-e34d165d96d5 Object GUID: 3526c3a2-c565-4923-ab0c-1d0c73cc8254 Installation Id: 4b779baa-cea8-4dee-8fb1-cc5291d26691 Audit Stores: Default-First-Site-Name@jeff.domain.test3-AuditStore Site(s): Default-First-Site-Name@jeff.domain.test3 Subnet(s): None configured Trusted Agents: All Trusted Collectors: All Audit Store Active Database: Data Source=win2k3-dc1.jeff.domain.test3 Initial Catalog=Default-First-Site-Name@jeff.domain.test3AuditStore-2011-05-17 Machine's Installation: 'DefaultInstallation213' (configured via Group Policy) Machine's Audit Store is 'Default-First-Site-Name@jeff.domain.test3AuditStore' because it services site 'Default-First-Site-Name' Collectors servicing Audit Store 'Default-First-SiteName@jeff.domain.test3-AuditStore': win2k3-dc1.jeff.domain.test3 (4) Port: 5063 SPN: HOST/win2k3-dc1.jeff.domain.test3@JEFF.DOMAIN.TEST3 WIN7PRO64.jeff.domain.test3 (4) Port: 5063 SPN: HOST/win7pro64.jeff.domain.test3@JEFF.DOMAIN.TEST3 WIN7X86.jeff.domain.test3 (4) Port: 5063 SPN: HOST/win7x86.jeff.domain.test3@JEFF.DOMAIN.TEST3 Attempting to connect to Collectors: Host: win2k3-dc1.jeff.domain.test3 - Success (5) Host: WIN7PRO64.jeff.domain.test3 - Success (5)
1: Whether the collector has established a connection with the Centrify Suite daemon (dad) on the UNIX machine 2: The status of dad on the UNIX audited machine (Online or Offline; in this example) 3: Whether CentrifyDC, the adclient program, is running
Evaluation Guide
140
4: The name of the Centrify Suite collectors 5: Whether a connection has been made
Note
Collectors are stored in a serviceConnectionPoint (SCP) in Active Directory. The command verifies that the collector SCPs have been found.
For the full description of these commands see the Centrify DirectAudit Administrators Guide.
On your evaluation system, you also have several other utilities: Collector Control Panel and the two consoles. The following figure illustrates the Agent Control Panel.
Administrator Console
The Administrator Console can only be invoked on workstations on which the Administrator Console was installed (see Installing the DirectAudit components on page 124 for example). When it is installed, the Administrator Console provides a view of
141
Close sessions
all the audited systems, collectors, audit stores and roles in the domain. In addition, you use the Administrator console to create audit roles and assign users to the audit roles.
The administrator console is primarily for viewing the organization and status of audited systems, collectors and audit stores. However, the Master auditor has Audit Roles permission on the installation. Users in this role can manage and control all audit roles can create and remove them, or change target sessions, role membership and permissions (Read, Replay and Update Status). When an installation is set up, the role of Master Auditor (with all permissions) is created, as well as an auditor for each audit store (with the name audit_store_x Auditor). These predefined roles cannot be modified or removed.
Note
To view a list of audit roles, expand the Audit Role node in the left pane of the Administrator console. To see a list of members of an audit role in the right pane, highlight an audit role in the left pane. The audit team leader can assign or remove members for the audit role. To add new audit role, highlight the Audit Roles node in the left pane, right-click and choose Add Audit Role from context menu. Take a look at the options, especially the role criteria, including time, state, review, and machine, you can set to constrain the roles rights and privileges. To add a user or group to the role, select the role, right click and follow the instructions.
Close sessions
The sessions run on the Windows and UNIX computers until you stop them. To stop auditing on a Windows system, start the Agent Control Panel and click the Stop button. To start again after you have stopped it, click the Start button.
Note
Only users with the Master Auditor privileges can start and stop a session. Other users and auditors get an error message if they open the Agent Control Panel and try to stop or start the session.
Evaluation Guide
142
Where to next
To stop auditing on a UNIX workstation, use the dacontrol -d command. For example, to stop auditing shell entries and sessions that audit just a specific command, you enter the following:
dacontrol -d -a
Where to next
This concludes the DirectAudit exercises. If you have followed the exercises from the beginning you have now been introduced to all of the Centrify Suite components except DirectSecure and are prepared to pursue your selfguided analysis. If you need more detail, be sure to look through the two Administrators Guides included in the package. If your environment uses SSH, NIS or Samba, be sure to read through the appendixes too. Finally, after you have completed your extended analysis run through the checklist in Chapter 10, Completing the evaluation. This should be a useful tool to help you assess how well Centrify Suite meets your needs.
143
Where to next
Evaluation Guide
144
Chapter 10
145
DirectControl Score
Weighted Score
Active Directory Integration (ADI) ADI 1 Active Directory "client" for UNIX, Linux and Mac (includes ability to "join" non-Microsoft system to AD domain); fully supports Kerberos and offers broad platform support (e.g. 280+ platforms) Virtualization support: Supports zLinux, AIX WPAR/LPAR, HP-UX vPars, Solaris Containers/LDOM/xVM, Citrix Xen and VMware Works with existing Active Directory schema; i.e. does not require schema extensions Supports RFC 2307 without need for additional proprietary schema extensions Cross-forest / one-way trust support Intelligent Domain Controller discovery and dynamic selection via Site awareness. Authenticated update of DNS entries for systems with dynamically assigned IP addresses. Supports Linux systems running SE Linux and AppArmor (i.e. does not require you to disable SE Linux/AppArmor) Provides optional technical support and tested executables for open source products such as Samba, OpenSSH and PuTTY Microsoft Windows 2003, Windows 2008, Red Hat and SUSE Certifications
Identity Management and Authentication (AU) AU 1 AU 2 Globally unique identity namespace established for new users and new systems, that is used across the environment unless overridden. Individual computers and groups of computers support centralized management of overrides in order to support migration and centralization of complex Support for multiple UNIX identities tied to a single AD Account, i.e. does not force UID rationalization NSS support for all NIS maps managed in Active Directory. NIS Support: Offers NIS Server integrated with Active Directory, allowing for centralized NIS settings includes support for "agentless mode" Support for local caching of credentials (enables offline login) Supports pre-population of offline cache (for specific users or groups of users)
AU 3 AU 4 AU 5
AU 6 AU 7
Evaluation Guide
146
Rank Item AU 8 AU 9 Description Supports Mac smartcard login to Active Directory for SSO to Windows Integrated services and applications. WebApp Support: Supports AD- and ADFS-based authentication for Java- and J2EE-based applications running on both UNIX/Linux *and* Windows systems DB/ERP Support: Supports AD-based authentication for DB2, Informix, Oracle and SAP R/3 Storage support: Supports AD-based identity mapping for NetApp Filers and EMC Celerra Provides a LDAP Proxy to enable LDAP-aware apps to securely integrate with AD (e.g. encrypted communication) (0-5)
DirectControl Score
Weighted Score
AU 10 AU 11 AU 12
Access Control (AC) AC 1 Provides interface to enable administrators to easily "see" and restrict computer access to selected groups of users across individual computers or groups of computers Ability to grant temporary access rights based on user Role assignment to individual computers or groups of computers. Ability to report on and easily view resulting set of user access for a given computer (or group of computers) Ability to delegate different admin rights to different administrators for each secure Zone Does not force delegation of administrative privileges along OU boundaries Can also enforce access control locally and via group policy
AC 2 AC 3 AC 4 AC 5 AC 6
Authorization (AZ) AZ 1 AZ 2 Grant users rights to execute commands with elevated privileges to eliminate need for access to privileged accounts and passwords Ability to grant Privileges for a User Role to an individual computer, Group of Computers in a Role or all computers that share a namespace. Ability to grant Privileges for a User Role to an individual computer, Group of Computers in a Role or all computers that share a namespace. Ability to control how a user accesses a system via PAM-enabled apps and interfaces (e.g. ssh, telnet, etc.) Set time periods when a role can access a system Ability to grant UNIX entitlements directly to an AD user and/or group
AZ 3
AZ 4 AZ 5 AZ 6
147
Rank Item AZ 7 Description Stores roles and rights inside Active Directory thus eliminating need for additional servers and infrastructure (0-5)
DirectControl Score
Weighted Score
Group Policy (GP GP 1 GP 2 GP 3 GP 4 GP 5 Provides large number of AD-based Group Policy objects for UNIX/ Linux *and* Mac Delivers group policies specific to managing SSH deployments Delivers User group policies in addition to Computer group policies Supports advanced group policy capabilities such as filtering and loopback processing Offers Group Policy editor that delivers free-form editing, a syntax checker and the ability to insert standard commands (e.g. for the sudo policy)
Server Protection (SP) SP 1 SP 2 SP 3 SP 4 SP 5 SP 6 SP 7 Blocks untrusted systems from communicating with trusted systems Delivers tiered network access by further isolating specific groups of servers Enables optional end-to-end encryption of data in motion Software and policy based solution; no hardware required Requires no changes to network topology or applications Automates provisioning of certificates on UNIX systems Supports DirectAccess, Active Directory and the native IPsec support in modern operating systems
Manageability (MA) MA 1 MA 2 MA 3 MA 4 MA 5 MA 6 Provides centralized pre-installation check capability Provides centralized push technology of software and/or updates Simple licensing; does not require per-user licensing for UNIX systems Centralized license management; does not require reinstall or license key deployment on each system Single product architecture for authentication + group policy + authorization + auditing + app support Single, integrated Windows MMC console for all user, group and computer management as well as migration and reporting (beyond delivering ADUC extension)
Evaluation Guide
148
Rank Item MA 7 MA 8 MA 9 MA 10 MA 11 MA 12 MA 13 MA 14 MA 15 Description Provisioning agent that allows AD group membership to control which users can access which groups of systems Integrates with existing provisioning systems such as Microsoft FIM Pre-packaged and customizable reports that provide filtering and grouping and can be saved to Word, Excel, etc. Reporting enables snapshots for comparison purposes Provides migration tools and utilities included at no charge Tools or easy methods for resolving import conflicts (e.g., UIDs) and UID rationalization Support for deployment via 3rd party solutions such as Apple Remote Desktop or Absolute Manage Offers Planning and Deployment Guide Vendor provides pre-packaged service and training offerings to assist in deployments (0-5)
DirectControl Score
Weighted Score
Auditing* (AD) AD 1 AD 2 AD 3 AD 4 AD 5 AD 6 AD 7 AD 8 AD 9 AD 10 AD 11 AD 12 Detailed, non-intrusive capture of user sessions on UNIX/Linux AND Microsoft Windows systems Comprehensive, easy-to-use search and query capabilities of user session activity Role-based access to query and replay user sessions, managed by AD groups Summary list of all events, commands and applications in user session Visual replay of user sessions through an easy-to-use replay tool High fidelity replay of Windows GUI sessions without just screenshots or slides Interactive replay of user sessions to skip over non-activity or to specific events of interest Session events are selectable, filterable and sortable for easy navigation Export of user sessions to a text transcript or movie file for sharing or reuse Real-time monitoring with an at-a-glance view of all current user activity Command line access to replay a single session or query across sessions Selective auditing based on users, groups or machines
149
Rank Item AD 13 AD 14 AD 15 AD 16 AD 17 AD 18 AD 19 AD 20 AD 21 AD 22 AD 23 Description Administrative delegation of management tasks based on Active Directory users or groups Central view of all component status including remote access to individual component systems Zero-config deployment of audit agent through auto discovery of session collection and storage components Supports broad set of UNIX and Linux platforms Fault-tolerant and load balanced collection of data Stores detailed user-level audit data in a SQL database for ease of reporting and archiving Supports use of multiple audit databases for scaling and security Click-button and scriptable support for rolling, archiving or deleting old session data Fast installer for single system install including database Generates DBA scripts for any DB action Secure install of each component and secure transmission and storage of session data (0-5)
DirectControl Score
Weighted Score
If you would like a spreadsheet version of this table to make calculation of the weighted scores easier, contact your System Engineer.
Evaluation Guide
150
Appendix A
The installation process makes direct access to the Kerberos tools possible by automatically sharing /usr/share/centrifydc/bin for all users and /usr/share/centrifydc/sbin for administrators and super users to the $PATH environment.
The Centrify Suite software automatically stops the default sshd and starts the Centrify version. The Centrify version is stored in /usr/share/centrifydc/sbin. This preserves the default sshd and its configuration files. The first time you start the server, sshd looks for the current sets of host keys in /etc/ssh and imports them. If it does not find the keys, it generates new keys and stores them in /etc/centrifydc/ssh. If you ever need to restart the Centrify version (for example, if you modified the UNIX computers configuration file), use the commands in your shell to stop and then start sshd. For example, the following command works for Red Hat Enterprise Linux and Solaris:
/etc/init.d/centrify-sshd start
Testing SSH
151
Configuring SSH
Configuring SSH
Chapter 7, A&A: Active Directory Group Policy Controls shows you how to use the Group Policy Object Editor to enable several SSH policies. The following figure illustrates the policy sets.
You can also modify the SSH configuration directly on a node by node basis. The configuration information is stored on each UNIX computer in the following directory. /etc/centrifydc/ssh/sshd_config
Note The policies enabled in the UNIX sshd_config file are overruled by the ones set in Group Policy Objects. This feature is available for those users who do not use Group Policy Objects.
Testing SSH
You can test the server by connecting to the local host to make sure that SSH is running and accepting connections. For example, the following command should result in a local connection to the SSH server:
/usr/share/centrifydc/bin/ssh root@localhost
When prompted, enter the root password. (Note that this command would NOT work if you had enabled the Permit root login policy to prevent root login - see page 120) On a Windows computer joined to the same Active Directory domain, you can now use the PuTTY program distributed in the Centrify Suite package or any other SSH solution that supports Kerberos to login. To use the Kerberos option you need to have two conditions set: First, you must log in to the Windows workstation using the same account name as the UNIX computer user. (You cannot, for example, log in to the UNIX computer under a different account name in this case.)
You enable Kerberos authentication in PuTTY. To configure PuTTY for SSH login using Kerberos: a Open PuTTY.
Evaluation Guide
152
Testing SSH
b In the Category pane, expand Connection > SSH > Kerberos. c Select Attempt Kerberos auth (SSH2).
d Return to the Session window, enter the host name and click Open. If you want to preserve this option, enter a name in Saved Sessions and click Save. Otherwise, you will have to check this box every time. Subsequently, just click on the session name. The result should look similar to the following figure. (In this case, the user is Fred Thomas from the script.)
153
Testing SSH
Evaluation Guide
154
Appendix B
import. You can create the file on either the Windows computer or the UNIX computer, but the file must be accessible from the Windows computer for you to import it into Active Directory. Add the following to the netgroup.txt file to simulate a sample netgroup NIS map for import:
clients (sparrow,,birds) (sparrow.mynet.home,,birds) \ (chicken,,birds) (chicken.mynet.home,,birds) \ (parrot,,birds) (parrot.mynet.home,,birds) servers (eagles,,birds)(eagle.mynet.home,,birds) nodes servers clients
2 Create a text file named auto.master.txt to store the sample auto.master NIS map
entries to import. Add an entry similar to the following to the auto.master.txt file to simulate a sample auto.master NIS map for import: /tools /etc/auto.tools
3 Create a text file named auto.tools.txt to store the sample auto.tools NIS map entries
to import. Add an entry similar to the following to the auto.tools.txt file to simulate a
155
4 For each of the NIS maps you created, select NIS Maps under the eval-global zone
The following figure illustrates the results. Subsequently, you can use Centrify Suite Administrator Console to add new entries to any map or edit any existing entries.
Evaluation Guide
156
Testing adnisd
Testing adnisd
To test the NIS service that Centrify Suite provides, you need to configure your UNIX computer to be a NIS client to its own locally running NIS server, adnisd. To do this, you first need to set up the NIS client, then you can access the NIS maps hosted in Active Directory. To set up the local NIS client on a computer:
1 Set the zone to support an agentless client.
You must be logged in with administrator privileges to the domain controller to change this property.
Note
Open the zone in which you created the NIS maps and select the properties. Check the box for Support agentless client.
2 Set the NIS domain name for the UNIX computer to be the same as the name of the zone
in which you stored the maps. For example, in enter the following from the UNIX command line to configure the domain name for the eval-global zone from our exercise:
domainname eval-global
3 Edit the NIS configuration file to specify the Centrify Suite zone and the local host name of
the UNIX computer and bind the NIS. The location or name of the NIS configuration file may vary depending on the clients operating system. The most common location for this file is /etc/yp.conf. Add the following two lines to yp.conf:
domain zone server.domain localhostname ypserver 127.0.0.1
In the first line enter the zone in which you added the maps, the Active Directory server.domain name and the name of the UNIX computer. For example, using the zone, server and UNIX computer in our exercise the first line would look like this:
domain eval-global win08.demo redhat
(where win08 is the Windows Server computer name and demo is the domain name).
157
Testing adnisd
If your NIS clients are configured for broadcast discovery, you can typically skip this step. For example, on Solaris, ypbind uses broadcast to locate its NIS server and does not use a NIS configuration file, so you can skip this step if the client is a Solaris computer.
Note
where hostname is the name of the UNIX computer. For example, using the computer in the exercise, you would add the following
127.0.0.1 redhat lpaddress redhat
5 Start the ypbind service to enable the local computer to look up information in the NIS
maps served by the local adnisd daemon. For example, on Red Hat Linux:
/sbin/service ypbind start
You should be able to test that the maps that you imported earlier are visible to the local computer by using the following NIS commands:
/usr/sbin/yptest -m netgroup ypcat -m auto.master ypcat -M auto.tools
You should now be able to try other operations that require the use of NIS maps such as automounting remote file systems.
Evaluation Guide
158
Appendix C
Both procedures render the same results: Both remove the DirectControl and DirectAudit agents and Centrify Suite tools (for example, adinfo, adjoin, and dzinfo); however the software distribution packages (for example, the agents .rpm files) and installation scripts are left intact so you can re-install. (If you used Deployment Manager to install the packages they are in the /tmp/CentrifyInstall directory.)
Deployment Manager analyzes the selected computer and displays a list of the Centrify software found. For example, in the following figure the DirectControl Agent, Centrify-
159
enabled OpenSSH and the DirectAudit Agent were installed on the machine. If you had also installed NIS, it would appear in the list too.
Note If you remove the DirectControl Agent, OpenSSH and the DirectAudit Agent are automatically removed. If you want to leave the DirectControl Agent on the UNIX computer, you can remove OpenSSH and the DirectAudit Agent individually.
Click Next > to proceed. This takes a few minutes. Progress is indicated on the Deployment Manager Welcome page. Scroll down to the bottom of the page. The spinning, busy cursor is displayed as the software is removed. When Deployment Manager is done, it shows that the Centrify software is ready to install.
If you just need to remove the Centrify from the selected UNIX computer you are done. Exit Deployment Manager. It too is removed when you remove the DirectManage components.
Using install.sh
You can also remove the Centrify Suite agents and tools from a UNIX console. You use the same install.sh script you used to install the software.
Note
Before you remove the DirectControl Agent, run adleave to unjoin the computer from the domain controller. If you are joined, the script prompts you to enter an authorized user and password before removing the Centrify software. Change to the directory with the distribution packages and enter
Evaluation Guide
160
/bin/sh install.sh
The script determines which software you have installed and displays the following:
Note
The script finds all Centrify software you have installed on the computer. For example, this picture shows other Centrify products, including Centrify-enabled Samba and DirectControl for Web applications. Enter E to proceed
The script gives you another chance to exit. Enter Y to proceed. The script then asks if you want to reboot after the uninstall. Enter Y to proceed.
This procedure removes just the DirectAudit components. This includes the Auditor and Administrator console, the Windows agent, the Collector and the Audit store. It does not remove the Audit Store database. In addition, if you installed SQL Server Express with the DirectAudit package, it too remains on the system To begin, go back to your Centrify Suite DVD/iso and launch autorun. Select Centrify DirectAudit. This time the installation prompt offers a different set of options. Select Uninstall and click Next >.
161
Notes
One you click Next > you cannot cancel. The uninstall process invokes the Microsoft Management Console. If you get a prompt that says it has stopped working, select Close the program to proceed. Click Finish to exit. The DirectAudit components have now been removed.
You can cancel an uninstall but it has unpredictable results. Do not click the Cancel button once the uninstallation process has started. If you inadvertently selected, let it complete and then launch autorun again to reinstall the software.
Evaluation Guide
162
The uninstall process invokes the Microsoft Management Console. If you get a prompt that says it has stopped working, select Close the program to proceed.
This concludes Centrify Suite software removal. The uninstallation removed the Centrify software and the Active Directory users UNIX properties. (For example, launch Active Directory Users and Computers, select an AD user and show her properties. The DirectControl Profile tab is no longer displayed.) The Centrify-related containers (for example, the UNIX OU and the Licenses, Service Accounts, UNIX Groups, UNIX Servers, and Zones nodes you created) remain in Active Directory. To restore your configuration install the DirectManage software again, launch the DirectControl Administrator Console, right-clock on the Zones node and open your parent zone (Global in the demo).
163
Evaluation Guide
164
Index
A
account lockout policies 116 Adding Centrify group policies 114 ade_lib Tcl library 105 ADEdit 104 ade_lib Tcl library 105 commands 105 context commands 106 general-purpose commands 105 Inside the script 111 object-management commands 106 run script 107 script example 107 script name 107 script unpack 107 script user password 112 script zones, groups, roles, and computer roles
109
dzdo 103 dzinfo 103 adupdate 103 agentless client 157 Analyze your environment 46 Assign rights to a role 86 Audit Server 18 Audit Store 18
B
Build computer list 39
C
Centrify DirectControl UNIX requirements 30 Centrify Suite Deployment Manager 33 DirectManage 33 Installation 33 iso image filename 33 UNIX installation 38 centrify_gnome_settings 115 centrify_linux_settings 115 centrify_mac_settings 115 centrify_unix_settings 115 centrifydc_settings 115 Computer role create 88 introduction 25 Computer roles FinApache 88 conventions, documentation 6 Create groups 69 Create new right 85 Create new role 86 Create rights DirectControl Administrator Console create rights 84
security descriptor commands 107 utility commands 107 adgpupdate 103 adinfo 103 adjoin 76, 103 adleave 103 Administrator Console Reports 97 adnisd starting 156 testing 157 adpasswd 103 adquery 103 adsetup-evalguide.sh 107 adtools 103 ADEdit 104 adgpupdate 103 adinfo 103 adjoin 103 adleave 103 adpasswd 103 adquery 103 adupdate 103
D
dacontrol 139
165
dad 139 dadebug 139 dadiag 139 dainfo 139 dareload 139 Default zone container 60 Delegating Control 92 Deploy 48 Deployment Manager 33 Analyze your environment 46 build computer list 39 Deploy Centrify software 48 Download Centrify software 44 instructions 39 phases 38 remove 162 remove agents 159 DirectAudit 17 Administrator 19 Administrator Console 141 Administrator console 141 Agent Control Panel 141 Agent installation 38 Agent removal 159 Audit Server 18 Audit Store 18 Auditor 19 close sessions 142 Collectors 18 Console 19 custom query 137 dacontrol 139 dad 139 dadebug 139 dadiag 139 dainfo 139 dareload 139 quick query 138 remove Windows components 161 UNIX utilities 139 DirectControl Agent removal 159 DirectControl Administrator Console Add UNIX users 61 add UNIX users to Global zone 65 Assign rights to a role 86 connect to forest 57
create computer role 88 Create new right 85 Create role 86 create zones 63 default container for zones 60 Delegate Zone Control 92 install licenses 58 license container 58 Provision tab 65 remove 162 setup wizard 57 show users 80 user credential 58 DirectControl Agent 13 installation 38 removal 159 DirectManage 33 instructions 36 launch 36 remove Windows components 162 DNS environment 32 DNS Server 31 documentation additional 8 conventions 6 Download Centrify software 44 dzdo 103 dzinfo 103
E
EntSA add members 70 create 70 etc/ssh 151 etc/yp.conf 157 evaluation checklist 145
F
Failed to start service 69 FIN zone, create 65 FinApache create 88 role assignment 90 FinDSA 86, 87 FinSA add UNIX properties 84
Evaluation Guide
166
add user 84 create 83 rights 87 FinUser add members 70 assign role 72 create 70 FinWeb 90 add UNIX properties 84 add user 84 create 83 FinWSA 89, 90 Firewall rules 120
J
join adjoin command 76 Join UNIX computer 73
L
License container 58 Log in 77 Log on as a service access rights 69 Login from UNIX system consol 77 using PuTTY 78
G
Global zone, create 64 Group Policies firewall rules 120 Group policies centrify_linux_settings 115 centrify_mac_settings 115 centrify_unix_settings 115 centrifydc_settings 115 prevalidate users or groups 118 set the login password prompt 118 SSH settings 118 group policies about 113 adding 114 Group Policy set user mapping 116 Group Policy Object Editor 114 Groups, add UNIX properties 71
M
Machine Zone introduction 25 Machine-level adjustments 79 Macintosh naming convention 6 Management Tools 14
N
Network Information Service see NIS NIS 155 about 155 agentless client 157 creating maps 155 importing maps 155 installation 49 removal 159 starting the adnisd daemon 156 testing 157
H
heterogeneous environments centralized management 5
O
OpenSSH installation 49 removal 159 Organization Units create UNIX ou 56 Organizational Units 56 create 56 create Service Accounts 56 create UNIX Groups 57 for UNIX users, groups and computers 56 Organziational Units create UNIX Servers 57
I
Install script 53 install.sh install agents 53 remove agents 160 installation Windows prerequisites 30 iso image filename 33
Index
167
P
Prevalidate users or groups 118 Provisioning tab 66 GECOS 67 Home directory 67 Login name 67 Primary group 67 shell 67 Source group 66 UID 67 PuTTY log in to UNIX computer 78 overview 17
Download Centrify software 44 find in network 39 reboot 54 UNIX tools installation 38 UNIX users add 61 add to Global zone 65 change ID 79
V
virtual environment configuring DNS 33 machine instances 33 recommended configuration 32
R
Report Center 97 Report Wizard 100 Reports Classic Zone 97 create 100 Hierarchical Zone 98 modify 100 New Report Wizard 100 purpose of 97 snapshot 99 static report 99 Rights assign to a role 86 create new 85 Role assign rights 86 Roles create new 86
W
Windows system requirements 30 Windows Server DNS Server 31
Y
ypbind service 158
Z
Zone Delegation Wizard 93 Zone Provisioning Agent configure 67 create UNIX identities 65 default UNIX properties 65 default values 66 Event log 68 Failed to start service 69 introduction 17 Log on as a service access rights instructions 69 Service account 68 Settings 68 Zones create 63
S
Set the login password prompt 118 Set user mapping 116 Show users 80 SSH settings 118
U
UNIX system requirements 30 UNIX system analyze your environment 46 UNIX systems Deploy Centrify software 48
Evaluation Guide
168