Centrify Express Unix Agent Guide
Centrify Express Unix Agent Guide
Centrify Express Unix Agent Guide
Administrator’s Guide
April 2016
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a
license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or
non-disclosure agreement, Centrify Corporation provides this document and the software described in this
document “as is” without warranty of any kind, either express or implied, including, but not limited to, the
implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of
express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without the prior
written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth
in such license agreement or non-disclosure agreement, no part of this document or the software described in this
document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some
companies, names, and data in this document are used for illustration purposes and may not represent real
companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the
information herein. These changes may be incorporated in new editions of this document. Centrify Corporation
may make improvements in or changes to the software described in this document at any time.
© 2004-2016 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from
third party or open source software. Copyright and legal notices for these sources are listed separately in the
Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the
U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48
C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for
non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use,
modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all
respects to the commercial license rights and restrictions provided in the license agreement.
Centrify, DirectControl, DirectAuthorize, DirectAudit, DirectSecure, DirectControl Express, Centrify User
Suite, and Centrify Server Suite are registered trademarks and Centrify for Mobile, Centrify for SaaS, Centrify for
Mac, DirectManage, Centrify Express, DirectManage Express, Centrify Identity Platform, Centrify Identity
Service, and Centrify Privilege Service are trademarks of Centrify Corporation in the United States and other
countries. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and other countries.
Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103 B2; 9,112,846;
9,197,670; and 9,378,391.
The names of any other companies and products mentioned in this document may be the trademarks or registered
trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies,
organizations, domain names, people and events herein are fictitious. No association with any real company,
organization, domain name, person, or event is intended or should be inferred.
Contents
Chapter 1 Introduction 8
Key components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Managed computers are Active Directory clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Provisioning is automatic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
All Active Directory users have access after you deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
How the agent generates profile attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Using DirectManage Express to deploy agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Comparing Centrify Express to Centrify Server Suite editions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3
Index 47
The Centrify Express for Linux and UNIX Administrator’s Guide describes how to install, configure,
and use the components in Centrify Express for UNIX and Linux. Centrify Express products
are available for free to provide identity and access control for cross-platform data centers
using Active Directory. With support for a wide range of operating systems, hypervisors, and
applications, Centrify agents can help your organization strengthen security and regulatory
compliance while reducing IT expenses and costly interruptions to user productivity.
Centrify agents provide simplified cross-platform integration with Active Directory. In most
cases, Centrify Express agents require little or no configuration, and are available for
download directly from the Centrify web site. By installing Centrify agents, you can add
UNIX and Linux computers to Active Directory, authenticate user credentials from a central
identity store, and support local and remote cross-platform single sign-on at no cost.
Intended audience
This guide is intended for system and network administrators who are responsible for
managing user access to servers, workstations, and network resources.
This guide assumes you have a working knowledge of Microsoft Active Directory and how to
perform common administrative tasks on the UNIX and Linux platforms you support. This
guide also assumes basic, but not expert, knowledge of how to perform common
administrator tasks. If you are an experienced administrator, you may be able simplify or
automate some tasks described in this guide using platform-specific scripts or other tools.
5
Conventions used in this guide
Chapter 4, “Troubleshooting tips and tools,” describes basic troubleshooting steps and how
to use diagnostic tools and log files to retrieve information about the operation of the
Centrify agent.
Chapter 5, “Using command-line programs,” provides reference information for the
command-line programs available with the Centrify agent.
Chapter 6, “Customizing operations using configuration parameters,” provides a quick
reference for the configuration parameters that you can set to control operations on
managed computers.
In addition to these chapters, an index is provided for your reference.
Introduction
This chapter provides an introduction to Centrify Express for Linux and UNIX, including a
brief overview of how Centrify can help you take advantage of your investment in Active
Directory.
The following topics are covered:
Key components
Managed computers are Active Directory clients
Provisioning is automatic
All Active Directory users have access after you deploy
Comparing Centrify Express to Centrify Server Suite editions
All Active Directory users have access after you deploy
How the agent generates profile attributes
Using DirectManage Express to deploy agents
Comparing Centrify Express to Centrify Server Suite editions
Key components
Centrify bundles products and features in different editions to address different customer
requirements. The Centrify Express family of products provides the most basic set of
functionality and is available for free from the Centrify website.
The main Centrify components that enable cross-platform authentication and authorization
services using Active Directory are platform-specific agents. Agents are packaged in
compressed platform-specific files that you can download and extract to enable non-
Windows computers to join an Active Directory domain. After you install an agent and join
a domain, Active Directory users are authenticated on the UNIX or Linux computer
without any further configuration.
The Centrify Express family of products also includes Centrify DirectManage Express,
which enables you to deploy agents and manage UNIX and Linux computers remotely from
a Windows computer, and Kerberos-enabled versions of OpenSSH and PuTTY packages.
8
Key components
Active Directory lookup filtering You cannot use the following parameters to filter AD lookups:
• nss.group.override
• nss.passwd.override
The adcert command You cannot use the adcert command, which enables certificate
operations to be performed directly on agent-managed UNIX
computers.
Data isolation and encryption You cannot dynamically isolate and encrypt data in motion.
These more advanced features are available in Centrify Server Suite Standard Edition,
Centrify Server Suite Enterprise Edition, and Centrify Server Suite Platinum Edition.
Chapter 1 • Introduction 9
Managed computers are Active Directory clients
Provisioning is automatic
When you deploy an agent on a computer, the agent adds the computer account to Active
Directory and automatically creates consistent UIDs across the joined domain for Active
Directory users with access to the computer. The agent authenticates all valid Active
Directory users without any configuration or account management. Because there is only
one zone for the forest, you can deploy without creating any zones of your own. Because
profiles are generated automatically, you do not need to configure any zone properties or
manage who has access to which subsets of UNIX and Linux computers.
Chapter 1 • Introduction 11
How the agent generates profile attributes
computer. In addition, all Active Directory users defined in any forest with a two-way trust
relationship with the forest of the joined domain are valid users for the joined computer.
Note If a computer joins a domain and the domain has a one-way trust relationship with
another domain, users and groups in the trusted domain do not become valid users and
groups on the computer.
Log on to a computer that is disconnected from the network or unable to access Active
Directory, if they have successfully logged on and been authenticated by Active
Directory previously.
Manage their Active Directory passwords directly from the command line, provided
they can connect to Active Directory.
In addition to the UID and GID, the agent automatically creates a home directory for the
user with all the associated profile and configuration files. The location for the home
directory is:
UNIX or Linux: /home/username
Mac OS X: /Users/username
Deploying an agent does not affect local users. User accounts that are defined in the local
/etc/passwd directory can still log on. If you want to control access through Active
Directory, however, you should create Active Directory accounts for each user. After you
verify user access for the Active Directory user, you can then either delete the local
account, or map the local users on each computer to an Active Directory account to
preserve access to current home directories and files. For more information about mapping
accounts, see “Mapping local accounts to Active Directory” on page 30.
Chapter 1 • Introduction 13
Comparing Centrify Express to Centrify Server Suite editions
additional features or products. The following descriptions provide a brief summary of what
is included in each edition.
This chapter provides step-by-step instructions for installing the Centrify agent on a
computer and joining the computer to the Active Directory domain.
The following topics are covered:
Selecting a deployment option
Installing and using DirectManage Express
Other options for deploying agent packages
Verifying the installation
Upgrading Centrify Express to include licensed features
Removing Centrify Express
15
Installing and using DirectManage Express
and UNIX computers, use one of the other options for deploying agent packages. For more
information, see “Other options for deploying agent packages” on page 17.
add computers to the domain using your own Active Directory account, check with the
Active Directory administrator for your site.
4 Follow the prompts displayed to accept the license agreement, select a location for
program files, and launch Deployment Manager.
The Deployment Manager Welcome page displays the steps to complete the successful
deployment of Centrify software:
Step 1: Build a computer list
Step 2: Download Centrify software
Step 3: Analyze computers
Step 4: Deploy Centrify software
For more detailed information about what to do for any step, see the documentation or
online help included with Deployment Manager.
If you want to use one of these installation options and need more information, see the
appropriate section.
3 Run the install-express.sh script to start the installation on the local computer. For
example:
./install-express.sh
4 Follow the prompts displayed to check the computer for potential issues, install the
agent, and join a domain automatically at the conclusion of the installation.
If the adcheck program finds potential issues, you might see warning or error messages.
Depending on the issue reported, you might have to make changes to the computer
before continuing or after installation.
For most prompts, you can accept the default by pressing Enter. When prompted for the
Active Directory domain, type the fully qualified name of the Active Directory domain
to join.
You must also type the user name and password for an Active Directory user with
permission to add computers to the domain.
5 After you have responded to all of the prompts displayed, review your selections, and
then enter Y to continue with the installation and reboot the computer.
environment. For example, if your operating system supports a package installer, such as
Red Hat Package Manager (rpm), SMIT or YAST programs, you can use those programs to
install the agent.
NoteCentrify recommends that you use the installation script to automatically check a
computer for issues and join the computer to a domain.
3 Run the appropriate command for installing the package based on the local computer’s
operating system or package manager you want to use. For example, on Red Hat Linux:
rpm -Uvh centrifydc-release-rhel3-i386.rpm
Note You must run the adlicense command to set the agent to run in Express mode.
5 Join the domain by running the adjoin --workstation command, which connects you
to Auto Zone:
adjoin --workstation domainName
Note If you do not specify the --workstation option, the join operation will fail because
adjoin will attempt to connect you to a specific zone rather than Auto Zone.
When a user logs in for the first time, the agent creates a /home/userName directory.
2 Run the adinfo command to see information about the Active Directory configuration
for the local computer. You should see output similar to the following:
Local host name: QA1
Joined to domain: sales.acme.com
Joined as: QA1.sales.acme.com
Pre-win2K name: QA1
Current DC: acme-dc1.sales.acme.com
Preferred site: Default-First-Site
Zone: Auto Zone
Last password set: 2014-04-01 12:01:31 PST
CentrifyDC mode: connected
Licensed Features: Disabled
Note that licensed features are disabled and that the zone is Auto Zone. Creating actual
zones requires a licensed copy of Centrify Server Suite.
-t net checks DNS to verify that the local computer is configured correctly and that the
DNS server is available and healthy.
-t ad includes the -t net checks and verifies that the domain has a valid domain
controller.
If your computer fails one of these checks, upgrade the computer with a new operating
system version or patch, a new Perl or Samba version, or free up sufficient disk space.
Because the agent uses DNS to locate the domain controllers for the Active Directory
forest, the appropriate DNS nameservers need to be specified in the local
/etc/resolv.conf file on each computer before the computer can join the domain. If you
receive errors or warnings from these checks, you need to correct them before joining a
domain. Each warning or error message provides some help to resolve the problem.
If you receive errors or warnings from these checks, you need to correct them before
joining a domain. Each warning or error message provides some help to resolve the
problem.
The user account you specify must have permission to add computers to the specified
domain. In some organizations, this account must be a member of the Domain Admins
group. In other organizations, the account simply needs to be a valid domain user
account. If you don’t specify a user with the --user option, the Administrator account is
used by default.
3 Type the password for the specified user account.
If the agent can connect to Active Directory and join the domain, a confirmation message is
displayed. All Active Directory users and groups defined for the forest, as well as any users
defined in a two-way trusted forest are valid users or groups for the joined computer.
As an alternative to restarting individual services, you can reboot the system to restart all
services.
Note Because the applications and services on different servers may vary, Centrify
Corporation recommends you reboot each computer to ensure all of the applications and
services on the system read the configuration changes at your earliest convenience.
5 When setup is complete for the selected packages, click Finish to close the setup
program.
3 Run the following command to verify that licensing has been enabled:
adinfo
Local host name: qa1
Joined to domain: acme.com
Joined as: qa1.acme.com
Pre-win2K name: qa1
Current DC: acme-dc1.acme.com
Preferred site: Default-First-Site
Zone: Auto Zone
Last password set: 2014-04-01 12:01:31 PST
CentrifyDC mode: connected
Licensed Features: Enabled
Note After enabling licensed features, the computer is still connected to Auto Zone. If
you are not using zones to migrate existing user populations or define role-based access
controls, you can leave the computer in Auto Zone. If you want to take advantage of
zones, you must:
Create at least one zone using the Access Manager console, adedit, or another tool.
Run adleave to leave the Active Directory domain and Auto Zone.
Run adjoin to rejoin the Active Directory domain and a specified zone.
For information about creating and managing zones, using group policies, and other
features, see the Centrify Server Suite Planning and Deployment Guide and the Centrify Server
Suite Administrator’s Guide.
Server Suite Standard Edition or Centrify Server Suite Enterprise Edition and select which
packages to install.
3 When you are prompted whether to keep, erase, or reinstall the currently installed
packages:
Accept the default (K, keep) for the currently installed packages.
4 When prompted whether to install in Express authentication mode, accept the default
(Y, yes) and press Enter.
The script will also prompt you with other choices, such as the option to run adcheck and
reboot the computer after installation.
The computer remains joined to the domain you previously joined, your existing
/etc/centrifydc/centrifydc.conf file is backed up, and any modifications you have
made to the file are migrated to the new version of the file.
5 Restart running services, such as login, sshd, or gdm, or reboot the computer to ensure
all services use the updated configuration.
The uninstall.sh script will detect whether the agent is currently installed on the local
computer and will ask you whether you want to uninstall your current installation.
3 To uninstall, enter Y when prompted.
If you cannot locate or are unable to run the uninstall.sh script, you can use the
appropriate command for the local package manager or operating environment to remove
the agent and related files.
This chapter explains how to perform common administrative and end-user tasks on
managed computers that have the Centrify agent installed.
The following topics are covered:
Logging on to your computer
Getting information about the Active Directory configuration
Applying password policies and changing passwords
Working in disconnected mode
Mapping local accounts to Active Directory
Setting a local override account
Using standard programs such as telnet, ssh, and ftp
Using Samba
Setting Auto Zone configuration parameters
27
Getting information about the Active Directory configuration
2 Type your old password. When changing your own password, you must always provide
your old password.
3 Type the new password. The password should conform to Active Directory password
policies.
4 Retype the new password.
For more information about using adpasswd, see the adpasswd man page.
3 Type the new password for the user specified. Because you are changing another user’s
password, you are not prompted for an old password. For example:
New password:
For more information about using adpasswd, see the adpasswd man page.
session or access a new service. For example, if a user account is disabled or has its password
changed in Active Directory while the user is disconnected from the network, the user can
still log on and use the old password until reconnected to the network. After the user
reconnects to Active Directory, the changes take effect and the user is denied access or
prompted to provide an updated password. Because changing the password for an Active
Directory account requires a connection to an Active Directory domain controller, users
cannot change their own Active Directory password when working in disconnected mode.
Note If users log out of a session while disconnected from Active Directory, they can be
authenticated using the information in the cache when they log back on because they have
been successfully authenticated in a previous session. They cannot, however, be
authenticated automatically to any additional services after logging back on. To enable
automatic authentication for additional services, the user’s credentials must be presented to
the Key Distribution Center (KDC) then issued a ticket that can be presented to other
services for unprompted, single sign-on authentication. Because the KDC is unavailable
when disconnected from Active Directory, single sign-on authentication is also unavailable.
You can configure many aspects of how credentials are handled, including how frequently
they are updated or discarded, through parameter settings in the centrifydc.conf
configuration file. To configure how credentials are handled using group policies, you must
upgrade to Centrify Server Suite Standard Edition or beyond.
On your Windows Active Directory computer, open Active Directory Users and
Computers (ADUC). Navigate to the Users node, right click and select New > User.
You should create a user logon name with the same name as the local user.
2 On the computer with the local account, open the centrifydc.conf configuration file.
3 Locate the pam.mapuser.username configuration parameter and un-comment the line to
change the default setting.
4 Modify the local account mapping to identify the local user account you want mapped to
the Active Directory user you created. For example:
pam.mapuser.joe.cool: joe.cool
5 Save the changes to the configuration file, then run the adreload command to reload the
configuration file and have the changes take effect.
Using Samba
Centrify Express supports the adbindproxy package, which contains the components to
enable an open-source Samba file server to use the Centrify agent and Active Directory to
handle identity management and user credentials.
For more information, see the Centrify Server Suite Samba Integration Guide.
This chapter describes how to use diagnostic tools and log files to retrieve information
about the operation of Centrify agents and provides tips to help you identify and correct
problems on managed computers.
The following topics are covered:
Addressing log on failures
Understanding diagnostic tools and log files
Configuring logging
Collecting diagnostic information
Resolving Domain Name Service (DNS) problems
33
Understanding diagnostic tools and log files
If the ping command does not generate a reply, check your DNS configuration and check
whether the local computer or the domain controller is disconnected from the network.
4 Use adinfo or Active Directory Users and Computers to check that the computer is
joined to the domain.
5 Use adinfo to check whether the agent is currently running or disconnected.
If the adinfo command reports the mode is disconnected, try restarting adclient and
testing network response time. On a slow network, adclient may drop the connection
to Active Directory if there is a long delay in response time.
If the adinfo displays an <unavailable> error, try running adleave to leave Active
Directory, re-run the adjoin command to re-join the domain. If a problem still exists,
check the DNS host name of the local computer and the domain controller, the user name
joining the domain, and the domain name you are using.
6 Check the clock synchronization between the local computer and the Active Directory
domain controller.
If the clocks are not synchronized, reset the system clock on the managed computer using
the date command.
7 Check the contents of the system log files or the centrifydc.log file after the user
attempts to log on. You can use information in this file to help determine whether the
issue is with the configuration of the software or with the user’s account.
8 Check for conflicts between local user accounts and the user profile generated by the
agent.
If these steps do not reveal the problem, you can enable detailed logging of adclient
activity using the addebug command. You can use the information in the
/var/log/centrifydc.log file to further diagnose the problem or to provide information
to Centrify Support.
be difficult to interpret. The log files are primarily intended for Centrify Support and
technical staff.
In most cases, you should only enable logging when you need to troubleshoot unexpected
behavior, authentication failures, or problems with connecting to Active Directory or when
requested to do so by Centrify Corporation Support. Other troubleshooting tools, such as
command line programs, can be used at any time to collect or display information about
your environment.
Configuring logging
By default, the agent logs errors, warnings and informational messages in the syslog and
/var/log/messages files along with other kernel and program messages. Although these
files contain valuable information for tracking system operations and troubleshooting issues,
occasionally you may find it useful to activate Centrify-specific logging and record that
information in a log file.
Note You must type the full path to the command because addebug is not included in the
path by default.
After you run this command, all of the agent activity is written to the
/var/log/centrifydc.log file. If the adclient process stops running while you have
logging on, the addebug program records messages from PAM and NSS requests in the
/var/centrifydc/centrify_client.log file. Therefore, you should also check that file
location if you enable logging.
For performance and security reasons, you should only enable logging when necessary. For
example, if you open a case with Centrify Corporation Support, the Support representative
may request that you enable logging and submit log files to investigate your case. You should
also limit logging to short periods of time while you or Centrify Support attempt to
diagnose a problem. You should keep in mind that sensitive information may be written to
this file and you should evaluate the contents of the file before giving others access to it.
When you are ready to stop logging activity, run the addebug off command.
With this parameter, the log level works as a filter to define the type of information you are
interested in and ensure that only the messages that meet the criteria are written to the log.
For example, if you want to see warning and error messages but not informational
messages, you can change the log level from INFO to WARN. By changing the log level, you
can reduce the number of messages included in the log and record only messages that
indicate a problem. Conversely, if you want to see more detail about system activity, you
can change the log level to INFO or DEBUG to log information about operations that do not
generate any warnings or errors.
You can use the following keywords to specify the type of information you want to record in
the log file:
# Add the name of the adclient logical log and specify the
# logging level to use for it and its children:
log.com.centrify.adclient: INFO
Command-line programs allow you to perform basic Active Directory administrative tasks
directly from a UNIX shell or using a shell script. These commands use the underlying
agent service library to enable you to perform administrative tasks, such as adding
computers to an Active Directory domain, leaving the Active Directory domain, changing
Active Directory passwords, and returning detailed Active Directory, network, and
diagnostic information for a host computer.
The following topics are covered:
Understanding when to use command-line programs
Supported command-line programs
Displaying usage information and man pages
In general, you should only use command-line programs when you must take action directly
on a local computer. For example, if you want to join or leave a domain or set a new
password while logged on to a shell, you may want to run a command interactively from
that shell. You can also use command-line programs in scripts to perform administrative
tasks programmatically.
Note You can also use Deployment Manager to perform the most common administrative
tasks. For more information about using Deployment Manager, see Deployment Manager
online help.
39
Supported command-line programs
Program Description
adcache The adcache program enables you to manually clear the local cache on a computer or check
a cache file for a specific key value.
adcheck The adcheck program verifies whether a local computer meets the system requirements for
joining an Active Directory domain. This command checks whether the computer has
sufficient disk and memory, a supported operating system and patch level, required libraries,
and network connectivity to an Active Directory domain.
adclient The adclient program manages most agent operations, and is normally started
automatically when a computer starts up. In most cases, you should only run adclient directly
from the command line if Centrify Support recommends you do so.
addebug The addebug program starts or stops logging activity for agent operations.
addns The addns program enables you to dynamically update DNS records on an Active Directory-
based DNS server in environments where the DHCP server cannot update DNS records
automatically.
adedit The adedit program enables you to manage Active Directory and the agent through
command-line commands and scripts.
adfinddomain The adfinddomain program displays the domain controller associated with the Active
Directory domain you specify.
adfixid The adfixid program resolves UID and GID conflicts and enables you to change the
ownership of a local user’s files to match the user and group IDs defined for the user in Active
Directory.
adflush The adflush program clears the cache on a local computer.
adid The adid program displays the real and effective UIDs and GIDs for the current user or a
specified user.
adinfo The adinfo program displays summary or detailed diagnostic and configuration information
for a computer and its Active Directory domain.
adjoin The adjoin program adds a computer to an Active Directory domain. This command
configures a local computer to use Active Directory. No changes are made to authentication
services or configuration files on a computer until you run the adjoin command. This
command requires you to be logged on as root.
adkeytab The adkeytab program enables you to create and manage Kerberos key tables (*.keytab
files) and coordinate changes with the Kerberos key distribution center (KDC) provided by
Active Directory.
adleave The adleave program enables you to remove a computer from its current Active Directory
domain or from the Active Directory forest entirely.
adlicense The adlicense program enables or disables licensed features on a local computer. This
command requires you to be logged on as root.
adpasswd The adpasswd program changes the Active Directory account password for a user from
within a UNIX shell.
Program Description
adquery The adquery program enables you to query Active Directory for information about users and
groups from the command line on an agent-managed computer.
adreload The adreload program forces the adclient process to reload configuration properties in
the /etc/centrifydc.conf file and in other files in the /etc/centrifydc directory.
adrmlocal The adrmlocal program reports and removes local user names that duplicate Active
Directory user names.
Other commands that support Centrify Server Suite operations are also installed in the
directory with the commands shown in the preceding list, but they are not applicable to
Centrify Express agents.
The usage information includes a list of options and arguments, and a brief description of
each option.
For more complete information about any command, you can review the information in the
command’s manual (man) page. For example, to see the manual page for the adleave
command, type:
man adleave
42
Auto Zone configuration parameters
dns.alive.resweep.interval Controls how frequently the DNS client checks whether there is a
faster DNS server available. The default interval for this check is one
hour.
dns.sweep.pattern Specifies the protocol and response time to use when the DNS client
scans the network for available DNS servers.
The dns.tcp.timeout and dns.udp.timeout parameters
determine the amount of time to wait if the current server does not
respond to a request. If the current server does not respond to a
request within the specified time out period, it is considered down
and the agent looks for a different server. If the DNS subsystem cannot
find a live server, DNS is considered down, and the agent waits for the
period of the dns.dead.resweep.interval parameter before
performing a sweep to find a new server.
dns.tcp.timeout Specifies the amount of time to wait if the current server does not
respond to a TCP request. If the current server does not respond to a
request within the specified time out period, it is considered down
and the agent looks for a different server.
dns.udp.timeout Specifies the amount of time to wait if the current server does not
respond to a UDP request. If the current server does not respond to a
request within the specified time out period, it is considered down
and the agent looks for a different server.
dns.dead.resweep.interval Specifies the amount of time to wait if DNS is before performing a
sweep to find a new DNS server to use.
Index
A adleave 40
account mapping changing to a specific zone 24
configuration file setting 31 adlicense 40
purpose of 30 adpasswd 40
Active Directory changing your own password 29
account requirements 16 resetting passwords 29
integration 5 use cases 28
joining after installation 22 when to use 41
non-Windows clients 10 adquery 41
offline authentication 29 adreload 41
password policy enforcement 30 adrmlocal 41
specifying the domain 18 agent
adcache 40 command line programs 39
adcheck 40 deployment steps 17
DNS configuration test 20 diagnostic information 37
operating system test 20 enabling logging 34
running during installation 18 installation 18
adclient 40 installation options 15
core service 10 join the domain 22
log file 34 key tasks 10
reloading configuration 41 log files 35
setting a log level 36 packages available 15
starting 40 removing 25
troubleshooting 34 Auto Zone
watchdog process 37 configuration parameters 42 to 45
adclient.ntlm.separators 45 leaving 24
addebug 40 auto.schema.domain.prefix 44
addns 40 auto.schema.homedir 43
adedit 40 auto.schema.iterate.cache 45
adfinddomain 40 auto.schema.name.format 43
adfixid 40 auto.schema.name.lower 44
adflush 40 auto.schema.primary.gid 42
adid 40 auto.schema.private.group 42
adinfo 40 auto.schema.remote.file.service 43
introduction 37 auto.schema.search.return.max 44
troubleshooting log on failures 34 auto.schema.shell 42
when to use 41 auto.schema.use.adhomedir 43
adjoin 40
running after installation 22 C
specifying a zone 24 Centrify Express
adkeytab 40 deployment options 15
47
M installing agents 18
man pages local account mapping 30
displaying 41 man pages 41
restarting services 22
N users
NSS configuration 10 account mapping 30
NTLM formatting 45 consistent UIDs 10
disconnected logins 29
P generating consistent UIDs 12
PAM configuration password policies 28
agent component 10
password management W
changing your own 28 Windows
disconnected mode 30 Deployment Manager 16
policy definition 28 DirectManage components 23
policy enforcement 12 knowledge of 5
resetting for other users 29
Z
R zones
root user suite features 14
access to privileged commands 16 using a single zone 11
adinfo options 37
enabling logging 35
join operation 40
local override account 31
running native installers 19
S
Samba
checking 21
SSH 31
system requirements 16
T
telnet 31
troubleshooting
agent operation 34
enabling logging 35
using adinfo 37
U
UNIX
agent requirements 15
clock synchronization 34
command line programs 39
DNS configuration 21
Index 49