Saturday, December 28, 2013

Basics: UNIX-Enabling Active Directory Users

Background

In a previous posting we discussed how UNIX systems identify users.
By default, UNIX/Linux systems using Centrify in Zone mode do not allow any user to log in to the systems unless they have:
  1. A UNIX Identity (login, UID/GID, Home, Shell and GECOS)
    This is what we call "UNIX-enabling" a user (hence the title of the posting)
  2. A role that allows the user to log-in.
UNIX-enabling simply means to provide a user (or a group) a UNIX identity in a Centrify Zone in Active Directory

Since we have established the Plan-Do-Check-Adjust model.  Here is the model for UNIX identities and Access

(Plan)ning UNIX Identities

  • Having a proper naming and identification strategy
    • What is the right login name?  Are there systems that don't like more than 8 characters?  (like HP-UX or AIX)
    • Does it have to be programmatically derived
    • What are the considerations for home directories?  Is there a central filer?
    • Is there an enterprise Shell?
    • Does anything need to be added to the GECOS field?
    • Are there different primary groups and secondary groups (other than private)?
  • What is the current state?
    • Is the namespace normalized(*)? Or does it need to be cleaned up?
      Are there users with different UIDs across systems?
      Are there different GID definitions for the same system?
      Are UNIX group memberships uniform?
    • Does the organization engage in Mergers and Acquisitions?
  • What will be the strategy if the company acquires another organization that has UNIX systems?
  • Are Samba or NFS in use?
(*) normalization is the process of rationalizing the names pase so everyone has a unique UNIX identity across the enterprise.  This is not a pre-requisite to deploy Centrify.

UNIX-enabling Users with Centrify (Do)

Users can get UNIX profiles using various methods:
  • Manually via Access Manager., Active Directory Users and Computers or ADSIEdit
  • Automatically via Centrify Zone Provisioning Agent
  • Automatically with any programming interface that can manipulate AD  (On Windows using vbscript, PowerShell, etc, and on UNIX/Linux using adedit).

Manual Method 1:  From Windows using Access Manager

  1. In Access Manager, expand the Zone, then UNIX Data, and right click Users.  
  2. Select Add Users to Zone
  3. In the Find box, type the name of the AD User account that is going to be enabled.  Select it and press OK
  4. Now, check all the boxes to pick the defaults OR, override each value to match your needs.

Manual Method 2:  From Windows using ADUC

Note: ADUC needs to have the Centrify Profile tab installed and activated
  1. In ADUC, right click the user object to UNIX-enable and select Properties
  2. Go to the Centrify Profile tab and select Add.  
  3. In the find window, press find and select the zone that the user will be added to.
  4. Follow the instructions from Step 3 above.

Manual Method 3:  From UNIX using adedit

Adedit is a TCL-based programming language included with the Centrify agent.
  1. On a Centrified UNIX system, type /usr/bin/adedit
  2. Bind to the domain with the proper credentials
    bind corp.contoso.com
  3. Select the zone to add the user to
    select_zone "cn=HQ,OU=Zones,OU=UNIX,dc=corp,dc=contoso,dc=com"
  4. Unix-enable the user
    new_zone_user jessie.matthews@corp.contoso.com
  5. Specify the UNIX identity
    set_zone_user_field uname jmatthews
    set_zone_user_field uid 0x8000000
    set_zone_user_field gid 0x8000000
    set_zone_user_field gecos "Jessie Matthews"
    set_zone_user_field home "%{home}/%{user}"
    set_zone_user_field shell "%{shell}"
    Note:  the 0x8000000 code after UID/GID specifies to use uniquely genereated code that is derive dfrom the AD object's SID.  Also, the variables under home and shell, allow this information to be picked based on the system's defaults.
  6. Verify the information
    show
    Bindings:
            corp.contoso.com: dc1.corp.contoso.com
    Current zone:
    CN=HQ,OU=Zones,OU=UNIX,DC=corp,DC=contoso,DC=com
    Current nss use:
    jessie.matthews@corp.contoso.com:jmatthews:1149240406:1149240406:Jessie Matthews:%{home}/%{user}:%{shell}:
  7. Save the Object
    save_zone_user

Manual Method 4:  From Windows using Centrify PowerShell

  1. On a Windows system with the Active Directory or Centrify PowerShell Modules
  2. Open PowerShell or PowerShell ISE as a user that has the rights to add and modify user profiles in the zone.
    Load these modules:
    Import-Module ActiveDirectory
    Import-Module Centrify.DirectControl.PowerShell
  3. Bind to the Centrify Zone in question
    $zone = Get-CdmZone -Name "HQ"
  4. Unix-enabling Jessie with defaults
    New-CdmUserProfile -Zone $zone –User jessie.matthews@corp.contoso.com -login jessie.matthews -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}"

Granting a UNIX Role

Once the user has an identity, the next step is to give him (or her) a role that grants them the ability to log in(*).  By this point a roles exercise has been conducted and the proper AD groups have been assigned UNIX roles.  This means that ADUC, Scripting/Programing, Identity Management Solutions and many other tools
(*) This is because users can be listed in a system, with no rights to log-in.

From Windows using ADUC
  1. Open ADUC and find the AD Group that has been assigned the role.
  2. Go to the Members tab and Click Add
  3. Find the newly UNIX-enabled user and Press OK Twice.

From UNIX Using adedit
  1. Log into UNIX/Linux with an account that can modify the group (or use kinit) and open adedit
  2. Bind to the domain
    >bind corp.contoso.com
  3. Add the ade_lib library
    >package require ade_lib
  4. Use the add_user_to_group function
    >add_user_to_group "jessie.matthews@corp.contoso.com" "UNIX Super Users@corp.contoso.com"
With PowerShell
Add-ADGroupMember "UNIX Super Users" -members "Jessie.Matthews"

At this point, when the cache refresh interval hits in the UNIX computer, the user will have the ability to log in with the corresponding role.


Verify the Access (Check)

There are multiple ways to check that the right identity and access have been provided:
  • In Windows:  via ADUC, Access Manager's User Effective Rights or Reporting
  • In UNIX with the adquery command and the dzinfo command.

To Verify the Identity in ADUC or Access Manager
  1. In ADUC, go to the user's properties, in the Centrify Profile tab, and double-click the entry.
  2. In Access manager, go to the Zone/UNIX Data/Users and double-click the user
  3. In any UNIX/Linux System in scope, run the adquery user <user name> command:
    $ adquery user jessie.matthews
    jessie.matthews:x:1149240406:1149240406:Jessie Matthews:/home/jessie.matthews:/bin/bash
To verify the level of access:
  1. In Access manager, go to the Zone/UNIX Data/Users and right-click the user and select "User Effective Rights"
  2. Select the system that you want to verify the level of access and review the settings.
Or
1. In Access Manager, go to the Reporting node.  Select the User's report or the UNIX User Effective Rights report, expand it, right click current and select Display Report

Review the systems that the user has access and what rights have been granted.
                                                                               Or 
In any System in scope, run the dzinfo <username> command.


 

(Adjust)ing the Identities or Roles assigned to a user

Due to various reasons there may be a need to adjust the user's identity or the role(s) that they may have in the systems.  Review the previous steps to perform any adjustments.  However, the most common operations are:
a) Identity Overrides:  This is when any of the default settings are modified.  E.g. they system admin does not want to change ownership of files and folders in multiple systems.  At this point he can change the UID/GID of the user to match their existing one.
b) Identity de-provisioning:  A user does not need access to UNIX systems anymore.  At this point their UNIX identity can be removed.
c) Access Changes:  A user may need to have access to more (or less systems) than required.  This may mean that they need to be added (or removed) from role assignments at the Computers Group level.
d) Temporary Access to a single or multiple systems:  These are normally exceptions. They can be dealt with temporary role assignments or computer level overrides.

No comments:

Post a Comment