February 2016 Update
I've created a Centrify CLI Cheat Sheet. The original January 2014 post will be left as is for historical reasons.
======
======
Background
Centrify offers a variety of command line utilities for the purposes of information, troubleshooting and automation. In the Utility section we will discuss those tools.Basic Agent Utilities
adinfo
Adinfo provides information about how the system is integrated to Active Directory.$ adinfo
Local host name: cen1
Joined to domain: corp.contoso.com
Joined as: cen1.corp.contoso.com
Pre-win2K name: cen1
Current DC: dc1.corp.contoso.com
Preferred site: HQSite
Zone: corp.contoso.com/Unix/Zones/HQ
CentrifyDC mode: connected
Licensed Features: Enabled
-T (--test) to verify connectivity to the domain
$ adinfo -T
Domain Diagnostics:
Domain: corp.contoso.com
DNS query for: _ldap._tcp.corp.contoso.com
DNS query for: _gc._tcp.corp.contoso.com
Testing Active Directory connectivity:
Global Catalog: dc1.corp.contoso.com
gc: 3268/tcp - good
Domain Controller: dc1.corp.contoso.com
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
- C (--computer) to verify the computer account information including Kerberos Service Principal Names
$ adinfo -C
Computer Account Diagnostics
Joined as: cen1
Trusted for Delegation: false
Use DES Key Only: false
Run adinfo as root to examine local key info
Key Version: 4 (local key version unavailable)
Service Principal Names: nfs/cen1.corp.contoso.com
nfs/cen1
ipp/cen1.corp.contoso.com
ipp/cen1
http/cen1.corp.contoso.com
http/cen1
host/cen1.corp.contoso.com
host/cen1
ftp/cen1.corp.contoso.com
ftp/cen1
cifs/cen1.corp.contoso.com
cifs/cen1
afpserver/cen1.corp.contoso.com
afpserver/cen1
Supported Encryption Type(s): RC4-HMAC
AES128-CTS-HMAC-SHA1-96
AES256-CTS-HMAC-SHA1-96
Operating System Version: 5.8 (Final)
Adinfo can also be used to collect debug information, or even to map the current domain connectivity in complex environments.
adquery
Adquery is a great tool to make queries via the AD agent.
To query all users that are UNIX-enabled in the zone with Centrify:
$ adquery user
billmurray:x:1627391067:1627391067:Bill Murray:/home/billmurray:/bin/bash
chevychase:x:1627391070:1627391070:Chevy Chase:/home/chevychase:/bin/bash
chrisrock:x:1627391068:1627391068:Chris Rock:/home/chrisrock:/bin/bash
To view more information about user billmurray
$ adquery user -A billmurray
unixname:billmurray
uid:1627391067
gid:1627391067
gecos:Bill Murray
home:/home/billmurray
shell:/bin/bash
auditLevel:AuditIfPossible
isAlwaysPermitLogin:false
dn:CN=Bill Murray,OU=Marketing,OU=Staff,DC=corp,DC=contoso,DC=com
samAccountName:Bill.Murray
displayName:Bill Murray
sid:S-1-5-21-3571224596-3006733700-3057749774-1115
userPrincipalName:Bill.Murray@corp.contoso.com
canonicalName:corp.contoso.com/Staff/Marketing/Bill Murray
passwordHash:x
zoneEnabled:true
unixGroups:billmurray
memberOf:corp.contoso.com/Groups/Marketing Staff,corp.contoso.com/Groups/Samba-Users,corp.contoso.com/Unix/Provisioning Groups/Unix Users,corp.contoso.com/Users/Domain Users
Reviewing all information about a group:
$ adquery group staff
staff:x:1:chrisrock,billmurray,chevychase
To view more information about the Staff group
$ adquery group staff -A
unixname:staff
gid:1
required:true
dn:CN=HQ-AIX-Staff-Group,OU=Groups,DC=corp,DC=contoso,DC=com
groupType:global security
samAccountName:HQ-AIX-Staff-Group
sid:S-1-5-21-3571224596-3006733700-3057749774-1232
canonicalName:centrifyimage.vms/Groups/HQ-AIX-Staff-Group
members:corp.contoso.com/Staff/IT/Chevy Chase,corp.contoso.com/Staff/Contractors/Bill Murray,corp.contoso.com/Staff/IT/Chris Rock
unixMembers:chrisrock,billmurray,chevychase
Adquery can be used to troubleshoot issues with accounts, including computer accounts.
Hi
ReplyDeleteAny command to view groups allowed to access a unix server?