Monday, January 6, 2014

Basics: Using Group Policy on UNIX/Linux and Mac OS X Systems with Centrify


As per Wikipedia: "Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment"  but what does this mean:
  • For the IT Administrator:  It allows the enforcement and management of computer and user settings to be much easier.  It's also easier to achieve standardization from a central administrative place.
  • For Security:  It allows for security policy definition in a single place, with enforcement in multiple endpoints.
  • For End-Users:  It means that the two parties above can control my experience.  :-)  All joking aside, group policies can make the user's experience more consistent.
  • For IT Management:  Group Policies promote better compliance, more standardization and operational efficiency.
Centrify provides Group Policy objects for the UNIX/Linux (including GNOME), Mac OS X and in the user suite for iOS, Android, etc.

How does group policy work?

In a Windows network, client reads a special share in the SYSVOL share of a domain controller and based on the scope (Site, Domain, OU), the processing rules and security settings they may or may not be processed.  They can change computer settings (upon reboot) or user settings (upon login) or after the gpupdate command is issued.

But UNIX/Linux systems are not Group Policy capable?  Yes, this is true.  Unless the system has been Centrified.  The section below explains how Centrify can process group policies.

Note:  Group Policy processing is available on the licensed versions of Centrify for UNIX, Linux and Mac OS X, with the exception of the Password and Kerberos policy that can be enforced in the Express (community) version.  This blog does not cover Centrify Express, but the reason why this is possible is due to the shared objects that comprise the Account PAM module provided by Centrify.

How does Centrify enable Group Policy for UNIX/Linux and Mac Systems?

There are several components that allow group policies to be processed in UNIX systems.
On the Windows side:  Group Policy templates and definitions (.adm and .xml) files provided with the Centrify Suite. A trusted administrator links and configures the GPOs, which in turn are copied in the SYSVOL share of the domain controller (and replicated in the domain).
On the UNIX/Linux/Mac OS X system side:  The Centrify agent (adclient), mapping files, the mapper process, a virtual directory and config files.

The simplified process works like this:
  1. At the group policy refresh interval or when the adgpupdate command is issued, adclient reads the SYSVOL share of the current domain controller.
  2. The client determines which group policies apply according GP processing rules.
  3. The group policies are interpreted and implemented by the mappers process
  4. The corresponding changes are made to the configuration files in the system.
For example, the Windows logon banner, specified in the "Interactive logon: Message text for users attempting to log on" GPO under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options is mapped to the text in the  /etc/issue file in the UNIX/Linux system.

Other very important GPOs are verified by the PAM Password Module, like these options on the "Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy" Section:  
Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
Process Reuse:  This means that all the password policies can be reused in the UNIX, Linux and Mac OS X systems that are joined via Centrify commercial editions!!!

Video Chalk-talk

For a deeper dive on group policies provided for Mac OS X by Centrify, take a look at this chalktalk:


Group Policy-related Centrify Utilities


The adgpupdate command is the equivalent to the gpupdate command in Windows.  What it does is described above.  

usage: adgpupdate [options]
  -T, --target <Computer | User>
                     Only refresh the computer or user policy (default both).
  -V, --verbose      Print debugging diagnostics to stderr.
  -v, --version      Print version information.
  -h, --help         Print this help text.

Sample output:
$ adgpupdate -V
session opened
Refreshing Computer Policy...
Refreshing User Policy...
User Policy disabled on this machine.

To view the settings processed by group policy, inspect the file under /var/centrifydc/reg/machine  (and /user if the system is a Mac or if it was enabled for GNOME policies)


In the 2015 version of the Centrify DirectControl agent (5.2.2), the adgpresult command has been introduced.  This command works just like the Windows gpresult tool.  It shows all the group policies processed locally by the agent in a very neat output.

$ adgpresult --help
usage: adgpresult [options]
    e.g. adgpresult -a
    or adgpresult -m -u uname1 -u uname2 ...
    -a, --all           Dump both gp settings for machine and current user.
                        Default option if no option is given.
    -m, --machine       Dump the machine's gp settings.
    -u, --user <name>   Dump the specified user's gp settings.
    -h, --help          Print this help information and exit.

No comments:

Post a Comment