Centrify DC Directcontrol Express Admin Guide

Centrify DirectControl Express
Edition
Administrator’s Guide
May 2010
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to
the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such
license agreement or non-disclosure agreement, Centrify Corporation provides this document and
the software described in this document “as is” without warranty of any kind, either express or
implied, including, but not limited to, the implied warranties of merchantability or fitness for a
particular purpose. Some states do not allow disclaimers of express or implied warranties in certain
transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away
without the prior written permission of Centrify Corporation, except as otherwise permitted by
law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of
this document or the software described in this document may be reproduced, stored in a retrieval
system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without
the prior written consent of Centrify Corporation. Some companies, names, and data in this
document are used for illustration purposes and may not represent real companies, individuals, or
data.
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein. These changes may be incorporated in new editions of
this document. Centrify Corporation may make improvements in or changes to the software
described in this document at any time.
© 2004-2010 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl
are derived from third party or open source software. Copyright and legal notices for these sources
are listed separately in the Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on
behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any
tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions)
and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the
software and documentation, including its rights to use, modify, reproduce, release, perform,
display or disclose the software or documentation, will be subject in all respects to the commercial
license rights and restrictions provided in the license agreement.
Centrify, DirectControl, and DirectAudit are registered trademarks and Centrify Suite,
DirectAuthorize, and DirectSecure are trademarks of Centrify Corporation in the United States
and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server
are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of any other companies and products mentioned in this document may be the trademarks
or registered trademarks of their respective owners. Unless otherwise noted, all of the names used
as examples of companies, organizations, domain names, people and events herein are fictitious. No
association with any real company, organization, domain name, person, or event is intended or
should be inferred.
• 2
Contents
About this guide 7
Intended audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Conventions used in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Where to go for more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 1 Introduction 13
Understanding Centrify DirectControl Express . . . . . . . . . . . . . . . . . . . . . 14
Understanding the Centrify DirectControl Agent . . . . . . . . . . . . . . . . . . . 16
Comparing Centrify Suite 2010 Express Edition to other editions. . . . . 18
Understanding Zones and Auto Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Understanding how DirectControl generates consistent UNIX UIDs . . 22
Chapter 2 Installing Centrify DirectControl Express 25

Preparing for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Installing the Centrify DirectControl Agent. . . . . . . . . . . . . . . . . . . . . . . . . 27
Verifying the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Troubleshooting adcheck errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Joining an Active Directory domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Adding generally-licensed features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Updating the Express installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Removing Centrify DirectControl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 3 Using DirectControl Express 51

Logging in to your computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
• 3
Applying password policies and changing passwords . . . . . . . . . . . . . . 54
Working in disconnected mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Mapping local UNIX accounts to Active Directory. . . . . . . . . . . . . . . . . . . 57
Setting a local override account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Using standard programs such as telnet, ssh, and ftp . . . . . . . . . . . . . . . 59
Using Samba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Setting Auto Zone configuration parameters . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 4 Troubleshooting 63
Understanding diagnostic tools and log files. . . . . . . . . . . . . . . . . . . . . . . 63
Configuring logging for Centrify DirectControl . . . . . . . . . . . . . . . . . . . . . 64
Collecting diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Working with DNS, Active Directory, and DirectControl . . . . . . . . . . . . . 68
Appendix A Using Centrify DirectControl UNIX commands 75

Understanding when to use command line programs . . . . . . . . . . . . . . . 76
Displaying usage information and man pages . . . . . . . . . . . . . . . . . . . . . 77
Understanding common result codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Using adjoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Using adleave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Using adcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Using adlicense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Using adpasswd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Using adquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Using adinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Using addebug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Using adfinddomain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Using adflush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Using adid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4 DirectControl Express Edition Administrator’s Guide

Using adclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Using adcache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Using adreload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Appendix B Customizing Auto Zone configuration parameters 145

auto.schema.primary.gid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
auto.schema.private.group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
auto.schema.shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
auto.schema.homedir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
auto.schema.use.adhomedir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
auto.schema.remote.file.service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
auto.schema.name.format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
auto.schema.separator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
auto.schema.domain.prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
auto.schema.search.return.max. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
auto.schema.name.lower . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
auto.schema.iterate.cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
adclient.ntlm.separators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Appendix C Customizing PAM-related configuration parameters 153

pam.allow.groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
pam.allow.override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
pam.allow.password.change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
pam.allow.password.change.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
pam.allow.password.expired.access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
pam.allow.password.expired.access.mesg . . . . . . . . . . . . . . . . . . . . . . . . 158
pam.allow.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
pam.deny.groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
pam.deny.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
• 5
pam.ignore.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
pam.mapuser.username. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
pam.password.change.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
pam.password.change.required.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
pam.password.confirm.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
pam.password.empty.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
pam.password.enter.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
pam.password.expiry.warn.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
pam.password.new.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
pam.password.new.mismatch.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
pam.password.old.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
pam.policy.violation.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Appendix D Using DirectControl with SSH 169

About SSH and DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Setting up SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Testing SSH on UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Testing SSH from a Windows machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Index 173

About this guide
Centrify Suite 2010 centrally secures cross-platform data centers
through Active Directory-based identity and access management of
the industry's widest range of heterogeneous systems, hypervisors
and applications. Built on an integrated architecture, the Centrify
Suite enables organizations to reduce IT expense, improve end-user
productivity, strengthen security and enhance regulatory
compliance.
This guide describes Centrify DirectControl Express, the main
component of the Express version of Centrify Suite 2010, which
allows a supported machine to join Active Directory and
authenticate users with minimal configuration. As your IT
structure grows in size and complexity, the Express version allows
seamless upgrade to full Centrify Suite 2010 functionality to take
advantage of features such as:
The same authentication and group policy services deployed for
your Windows environment.
Centrify DirectControl Zones to provide secure, granular
access control and delegated administration.
Centrify DirectAuthorizeTM to centrally manage and enforce
role-based entitlements for fine-grained control of user access
and privileges on UNIX and Linux systems.
Centrify DirectAudit to deliver auditing, logging and real-time
monitoring of user activity on your non-Microsoft systems.
Centrify DirectSecure to secure sensitive information by
dynamically isolating cross-platform systems and enabling
optional end-to-end encryption of data in motion.
• About this guide 7

Intended audience
Centrify DirectManage to centralize the discovery, management

and user administration of UNIX and Linux systems through
integration into Active Directory-based tools and processes.
Intended audience
This DirectControl Express Edition Administrator’s Guide provides
complete information for installing and configuring Centrify
DirectControl Express and authenticating users and groups with
Centrify DirectControl and Active Directory. This guide is
intended for system and network administrators who are
responsible for managing user access to servers, workstations, and
network resources.
Because Centrify DirectControl Express Edition is installed on the
Linux or Mac OS X computers you intend to manage, and requires
you to work with Windows Active Directory, this guide assumes
you have a working knowledge of performing administrative tasks
across these different environments. If you are unfamiliar with any
of the operating environments you need to support, you may need
to consult additional, operating system-specific documentation to
perform certain tasks or understand certain concepts.
This guide also assumes basic, but not expert, knowledge of how to
perform common tasks. If you are an experienced administrator,
you may be able simplify or automate some tasks described in this
guide using platform-specific scripts or other tools.
Using this guide

Depending on your environment and role as an administrator or
user, you may want to read portions of this guide selectively. The
guide provides the following information:
Chapter 1, “Introduction,” provides an overview of
DirectControl Express.

Chapter 2, “Installing Centrify DirectControl Express,”
summarizes the steps for installing DirectControl Express on
computers to be managed by Centrify DirectControl.
Chapter 3, “Using DirectControl Express,” explains how to take
advantage of Active Directory when joined to a domain through
DirectControl Express.
Chapter 4, “Troubleshooting,” describes how to use diagnostic
tools and log files to retrieve information about the operation of
DirectControl.
Appendix A, “Using Centrify DirectControl UNIX commands,”
provides reference information for the DirectControl
command-line programs.
Appendix B, “Customizing Auto Zone configuration
parameters,” provides reference information for the Centrify
DirectControl configuration parameters that affect the
operation of a computer joined to Auto Zone. In Express Mode,
a computer is automatically connected to Auto Zone.
Appendix C, “Customizing PAM-related configuration
parameters,” describes the DirectControl configuration
parameters that affect the operation of PAM-related activity on
the local host computer.
Appendix D, “Using DirectControl with SSH,” explains how to
install and use the Centrify release of OpenSSH.
In addition to these chapters, an index is provided for your
reference.
Conventions used in this guide

The following conventions are used in this guide:
Fixed-width font is used for sample code, program names,
program output, file names, and commands that you type at the
command line. When italicized, the fixed-width font is used

Conventions used in this guide
to indicate variables. In addition, in command line reference

information, square brackets ([ ]) indicate optional arguments.
Bold text is used to emphasize commands, buttons, or user
interface text, and to introduce new terms.
Italics are used for book titles and to emphasize specific words or
terms.
For simplicity, UNIX is used generally in this guide to refer to
all supported versions of the UNIX, Linux, and
Macintosh OS X operating systems unless otherwise noted.
The variable release is used in place of a specific release
number in the file names for individual Centrify DirectControl
software packages. For example,
centrifydc-release-sol8-sparc-local.tgz in this guide
refers to the specific release of the Centrify DirectControl
Agent for Solaris on SPARC available on the Centrify
DirectControl CD or in a Centrify DirectControl download
package. On the CD or in the download package, the file name
indicates the Centrify DirectControl version number. For
example, if the software package installs Centrify
DirectControl version number 4.2.0 for the Sun Solaris
operating system on a SPARC server, the full file name is
centrifydc-4.2.0-sol8-sparc-local.tgz.

Where to go for more information
The documentation set for Centrify DirectControl Express,
includes several sources of information. Depending on your
interests, you may want to explore some or all of these sources
further:
Release Notes included on the distribution media or in the
download package provide the most up-to-date information
about the current release, including system requirements and
supported platforms, and any additional information, specific to
this release, that may not be included in other documentation.
Quick Start for Express Mode provides a brief summary of the steps
for installing Centrify DirectControl Express and getting
started so you can begin working with the product right away.
Individual UNIX man pages for command reference information
for Centrify DirectControl UNIX command line-programs.
This DirectControl Express Edition Administrator’s Guide also
contains a command reference appendix for all DirectControl
command-line programs.
In addition to the Centrify DirectControl documentation, you may
want to consult the documentation for your Windows, Linux,
UNIX, or Mac OS X operating system, or the documentation for
Microsoft Active Directory. This information can help you get the
most out of Centrify DirectControl.

Contacting Centrify
Contacting Centrify
If you have questions or comments, we look forward to hearing
from you. For information about contacting Centrify Corporation
with questions or suggestions, visit our Web site at
www.centrify.com. From the Web site, you can get the latest news
and information about Centrify Corporation products, support,
services, and upcoming events. For information about purchasing
or evaluating Centrify Corporation products, send email to
info@centrify.com.

Chapter 1
Introduction
This chapter provides an introduction to the main features of the
Centrify DirectControl Express, including a brief overview of the
ways Centrify DirectControl can help organizations leverage their
investment in Active Directory.
The following topics are covered:
Understanding Centrify DirectControl Express
Understanding the Centrify DirectControl Agent
Comparing Centrify Suite 2010 Express Edition to other
editions
Understanding Zones and Auto Zone
Understanding how DirectControl generates consistent UNIX
UIDs
Chapter 1 • Introduction 13

The Centrify Suite is bundled in a number of different editions,
ranging from the most basic, Express (the focus of this manual), to
more advanced editions (Standard, Enterprise, and Platinum),
which in addition to having more features, provide other Centrify
products, such as DirectAudit and DirectSecure.
DirectControl is the underlying, base product of the Centrify
Suite. The core feature of DirectControl is the ability to enable
Linux and Mac servers and workstations to participate in an Active
Directory domain. The DirectControl Agent effectively turns the
host system into an Active Directory client, enabling you to secure
that system using the same authentication services deployed for
your Windows systems.
Specifically, DirectControl Express provides the following:
The ability to join a Linux, or Mac OS X computer to Active
Directory and authenticate users.
Centrify-enabled versions of OpenSSH, Kerberos and Samba.
Note The Centrify Suite 2010 Express Edition includes an Express
Edition of DirectManage that enables you to centrally discover
computers and deploy software to them.
DirectControl Express requires minimal configuration to join a

UNIX machine to a domain and authenticate users through Active
Directory. For example, DirectControl automatically creates
consistent UIDs across the domain for users on the computers it
manages; see “Understanding how DirectControl generates
consistent UNIX UIDs” on page 22 for information on this topic.
Also, when using DirectControl Express, you do not need to
configure group policies and compliance reports, nor create zones
to model your organization and control access to a domain.
Therefore, DirectControl Express is ideal for an environment in
which:
You have a limited number of users and domains.

You do not need to maintain your current UNIX UIDs.
The organizational structure is relatively flat.
You want to configure computers quickly to join a domain.
If your organization grows in size and complexity, you can easily
upgrade Centrify DirectControl Express to one of the
generally-featured versions; see “Comparing Centrify Suite 2010
Express Edition to other editions” on page 18 for more
information.
What you can do after you deploy

When Centrify Suite 2010 Express installs the Centrify
DirectControl agent on a UNIX system, that computer is
considered a Centrify DirectControl managed system and
can be joined to Active Directory in the same manner as a
Windows computer.
When a computer is managed by Centrify DirectControl, and
connected to a domain, all users and groups defined in Active
Directory for the forest automatically become valid users and
groups on the UNIX machine unless configured to deny or allow
specific users or groups access; see pam.deny.users
|pam.allow.users and pam.deny.groups |pam.allow.groups. In
addition, all Active Directory users defined in a forest with a
two-way, cross-forest trust relationship to the forest of the joined
domain, are also valid users for the UNIX machine. These users can
perform the following common tasks:
Log on to the UNIX shell or desktop program and use standard
programs and services such as telnet, ssh, and ftp.
Log on to a computer that is disconnected from the network or
unable to access Active Directory, if they have successfully
logged on and been authenticated by Active Directory
previously.
Manage their Active Directory passwords directly from the

UNIX command line, provided they can connect to Active
Directory.

The Centrify DirectControl Agent makes a UNIX, Linux, or
Mac OS X computer look and behave like a Windows client
computer to Active Directory. The Centrify DirectControl Agent
performs the following key tasks:
Joins the UNIX, Linux, or Mac OS X computer to an Active
Directory domain.
Communicates with Active Directory to authenticate users
when they log on and caches credentials for offline access.
Enforces Active Directory authentication and password policies.
Provides a Kerberos environment so that existing Kerberos
applications work transparently with Active Directory.
Although the individual agents you install are platform-specific, the
Centrify DirectControl Agent is a tightly integrated suite of
services that work together to ensure seamless operation between
existing UNIX programs and applications and Active Directory
authentication and directory service.

The following figure provides a closer look at the services provided
through the Centrify DirectControl Agent:
Core services for UNIX shell programs Kerberos-enabled Other
and applications applications add-on
modules:
Apache
JAAS realm
Kerberos SPNEGO
PAM module NSS module
environment NIS
Centrify DirectControl Service Library
Centrify DirectControl Command line

adclient programs
Centrify DirectControl Agent

Active Directory Domain
Controller
Cached credentials and

search results
As this figure suggests, the Centrify DirectControl Agent includes

the following core components:
The core Centrify DirectControl Agent is the adclient
process that handles all of the direct communication with Active
Directory. The agent contacts Active Directory when there are
requests for authentication, authorization, directory assistance,
or policy updates then passes valid credentials or other
requested information along to the programs or applications
that need this information.
The Centrify DirectControl Pluggable Authentication
Module, pam_centrifydc, enables any PAM-enabled
program, such as ftpd, telnetd, login, and sshd, to
authenticate using Active Directory.
The Centrify DirectControl NSS module is added to the
nsswitch.conf so that system look-up requests use the Centrify
DirectControl agent to look up and validate information using
Active Directory through LDAP.
The Centrify DirectControl command line programs
(CLI) enable you to perform common administrative tasks,
Comparing Centrify Suite 2010 Express Edition to other editions
such as join and leave the Active Directory domain or change

user passwords for Active Directory accounts from the UNIX
command prompt. These command line programs can be used
interactively or in scripts to automate tasks.
The Centrify DirectControl Kerberos environment
generates a Kerberos configuration file (etc/krb5.conf) and a
default key table (krb5.keytab) to enable your
Kerberos-enabled applications to authenticate through Active
Directory. These files are maintained by the Centrify
DirectControl Agent and are updated to reflect any changes in
the Active Directory forest configuration.
The Centrify DirectControl local cache stores user
credentials and other information for offline access and network
efficiency.
In addition to these core components, the Centrify DirectControl
Agent can also be extended with optional utilities and programs,
such as updated Kerberos, OpenSSH, or OpenLDAP utilities,
that have been optimized to work with Centrify DirectControl and
Active Directory.
Comparing Centrify Suite 2010 Express Edition to

other editions
Centrify Suite 2010 Express Edition is composed of DirectControl
Express and DirectManage Express. As explained in
“Understanding Centrify DirectControl Express” on page 14,
Centrify DirectControl Express provides a limited subset of the
features available in DirectControl for Centrify Suite 2010
Standard, Enterprise, Platinum, or Application Editions.
Express Edition provides
DirectControl Express (a limited version of DirectControl)
with the following features:

The ability to join a domain and authenticate users
Centrify-enabled OpenSSH, Kerberos, and Samba
DirectManage Express (a limited version of DirectManage) with
the ability to discover computers and deploy software
Standard Edition is the first-level commercial offering and
combines the base product, DirectControl, with additional
products, as follows:
A fully-featured DirectControl with these features:
The ability to join a domain and authenticate users
Centrify-enabled OpenSSH, Kerberos, and Samba
Advanced Active Directory support; for example,
DirectControl is site-aware, supports trusts, and requires no
modifications to the AD schema
Centralized UNIX identity management; that is, the ability to
map multiple UIDs to one Active Directory account
Zone-based access control and separation of duties
Group Policy enforcement
Legacy NIS integration and migration
Out-of-the-box reporting
For Mac OS X users, the ability to use their PIV/CAC smart
cards for authentication and single sign-on
A fully-featured DirectManage to centrally discover systems and
deploy software, migrate existing accounts and access rights to
Active Directory, and provision and manage access, rights, and
roles.
DirectAuthorize to centrally manage and enforce role-based
entitlements for fine-grained control of user access and
privileges on UNIX and Linux systems.
Enterprise Edition provides:

All the features of Standard Edition
DirectAudit for real-time auditing of user sessions on UNIX-
and Linux-based systems.
Platinum Edition provides:
All the features of Enterprise Edition
DirectSecure to secure sensitive information by dynamically
isolating cross-platform systems and encrypting data in motion.
Application Edition provides:
All the features of Enterprise Edition
Single sign-on for SAP, Web servers (Tomcat, Apache, JBoss,
Websphere, and Weblogic), and IBM DB2

When using a generally-featured version of DirectControl, one of
the most important aspects of managing UNIX, Linux, and
Mac OS X systems through the DirectControl Administrator
Console is the ability to organize computers and user’s access to
those computers using zones.
A DirectControl zone is similar to an Active Directory
organizational unit (OU) or NIS domain. Zones allow you to
organize the computers in your organization in meaningful ways to
simplify account and access management and the migration of
information from existing sources to Active Directory.
Zones also enable you to map multiple UIDs to a single Active
Directory account and store the mapping inside Active Directory.
How you use zones will depend primarily on the needs of your
organization. In some organizations, a single default zone is
sufficient. In other organizations, using multiple zones may be a
necessity.

Understanding Auto Zone
When using Centrify DirectControl Express, you have no access to
the DirectControl Console, nor do you have the ability to create
zones, including the default zone. Rather, in Express Mode, you
connect to a domain through Auto Zone, which essentially is one
super zone for the forest.
Express Mode and Auto Zone greatly simplify the process of using
DirectControl to join a UNIX computer to a zone. When using a
generally-featured version of DirectControl, you must perform a
certain amount of configuration in the DirectControl Console,
such as defining a zone, adding Active Directory users and groups
to the zone, and enabling specific group policies. With Auto Zone,
UNIX attributes, such as UID, default shell, and home directory,
that are normally defined in the zone to which the UNIX computer
is joined, are derived from user attributes in Active Directory, or
from DirectControl configuration parameters.
When you join a domain by connecting to Auto Zone, all
DirectControl Express users and groups defined in Active
Directory for the forest automatically become valid users and
groups on the UNIX machine. In addition, all Active Directory
users defined in a forest with a two-way, cross-forest trust
relationship to the forest of the joined domain, are also valid users
for the UNIX machine.
Although all users and groups have default access to all machines
joined to Auto Zone, you may still control access to any particular
machine by setting parameters, such as pam.deny.users and
pam.deny.groups, in the Centrify DirectControl configuration
file; see “pam.deny.groups” on page 159 and “pam.deny.users” on
page 161.
Note Auto Zone does not support one-way trusts. That is, if a
computer is joined to a domain through Auto Zone, and the domain
has a one-way trust relationship with another domain, users and
groups in the trusted domain do not become valid users and groups
on the computer.
Understanding how DirectControl generates consistent UNIX UIDs
Understanding how DirectControl generates

consistent UNIX UIDs
In DirectControl Express, when an Active Directory user logs into
a UNIX computer for the first time, DirectControl automatically
creates a 31-bit UNIX UID as well as a 31-bit GID for any groups
to which the user belongs. To create these GIDs and UIDs
DirectControl creates a prefix from the last 9 bits of the user or
group Security Identifier and combines it with the lower 22 bits of
the user or group RID (relative identifier).
Although DirectControl Express caches these UIDs and GIDs, they
are not stored in Active Directory and consequently you cannot
edit or change them in any way with Active directory Users and
Computers (ADUC). If the cache expires, DirectControl uses the
same algorithm to create the same UID and GID the next time the
user logs in so you are guaranteed consistent ownership for files
and resources.
Note This is in contrast to fully-featured DirectControl which
stores UIDs and GIDs in Active Directory and provides tools that
enable you to migrate local UIDs and GIDs to Active Directory, as
well as map multiple UIDs to a single AD account.
In addition to the UID and GID, DirectControl creates a home

directory for the user with all the associated profile and
configuration files. The location for the home directory is:
Linux: /home/username
Mac OS X: /Users/username
When you join multiple Linux or Mac OS X computers to a
domain, any Active Directory user who logs on to more than one
computer will have the same DirectControl-generated UID on
each machine.
Although local users (such as those defined in /etc/passwd) may
still log in to any local computer, if you want to control access
through Active Directory, you should create Active Directory

accounts for each user. You can then either delete the local account,
or to preserve access to current home directories and files, map the
local users on each computer to an AD account; see “Mapping local
UNIX accounts to Active Directory” on page 57.
Understanding how DirectControl generates consistent UNIX UIDs

Chapter 2
Installing Centrify DirectControl Express

This chapter provides step-by-step instructions for installing the
Express version of the Centrify DirectControl Agent on a
computer and joining a Linux or Mac OS X computer to the Active
Directory domain.
Preparing for installation
Installing the Centrify DirectControl Agent
Verifying the installation
Troubleshooting adcheck errors
Joining an Active Directory domain
Adding generally-licensed features
Updating the Express installation
Removing Centrify DirectControl
Chapter 2 • Installing Centrify DirectControl Express 25


The Centrify DirectControl Agent needs to be installed on each
UNIX computer you want to manage through Centrify
DirectControl and Active Directory. Therefore, you should check
that each computer where you plan to install is running a supported
version of the Linux or Mac OS X operating system and meets the
following requirements:
For this You need this

Operating system One of the supported operating environments.
For information about the specific operating
systems and version levels currently supported,
see Supported Platforms on the Centrify Web
site.
CPU speed 300 MHZ
RAM 10MB
Disk space 100MB
Note For the most complete and up-to-date information about

supported platforms and version information, check the Centrify
Web site or the Release Notes included with the software package.
Some operating environments may require patches, updates, or
bundles to work correctly, so check the Release Notes for any
environment-specific requirements before installing. Also, you can
check the Web site of your operating system vendor to identify the
most recent patches and updates available.
Verifying account permissions

You need the following accounts to install DirectControl and join
an Active Directory domain:
To install on Linux you need the root account and password.
To install on Mac OS X you need the local Administrator
account and password.

To join a domain, you need an Active Directory account (and
password) with permission to add computers to the domain.
Depending on your organization, this requirement might be
more stringent; for example, in some organizations, an account
with permission to add computers to the domain might need to
be a member of the Domain Admins group. If you are not sure
about the requirements of your organization, or do not know the
name and password for an Active Directory account, check with
your AD administrator.

The files and directories you need to install on each Linux and
Mac OS X computer you want to manage through Active Directory
are bundled together in a platform-specific software package and
installed using a native installation mechanism for each platform.
You can install the Centrify DirectControl Agent in any of the
following ways:
(Recommended) Run the Centrify DirectControl installation
script to automatically invoke the proper installation mechanism
for a computer’s local operating system with the appropriate
command line options; see “Installing the agent by using the
installation script” on page 28.
On Mac OS X computers, use the graphical user interface to
install; see “Installing on Mac OS X by using the graphical user
interface” on page 31.
Manually install any package by running the appropriate
installation command yourself; see “Using other programs to
install DirectControl Agents” on page 35.
Notes Centrify highly recommends that you use the installation

script to install Centrify DirectControl Express because the
installation script does the following:

Automatically joins the computer to a domain.

Sets the Agent to Express Mode.
Runs operating system, network, and Active Directory tests to
verify your environment.
If you manually install the Agent, you must manually join a domain,
manually turn off licensing to enable Express Mode after joining a
domain, and manually run tests if you wish to verify your
environment.
Installing the agent by using the installation script

To install on a Linux or Mac OS X computer:
1 Log on or switch to the root user if you are installing on a
computer running Linux UNIX or log on with a valid user
account if you are installing on a computer with the Mac OS X
operating system.
Note Although you are not required to log on as the root user on
the Macintosh computer, you must know the password for the
Administrator account to complete the installation. In addition,
joining the domain and configuring your environment is slightly
different on Macintosh computers than on other platforms.
Therefore, you should follow the steps in the section “Joining the
domain from Mac OS X computers” on page 42 to join an Active
Directory domain on computers running the Mac OS X
operating system.
2 Mount the cdrom device using the appropriate command for the
local computer’s operating environment, if necessary. If you
have copied the package to another location or downloaded the
package from an FTP server or Web site and are not using the
CD, verify the location and go on to the next step.
3 Change to the appropriate directory on the CD or to the
directory where you have copied or downloaded the Centrify
DirectControl package. For example, to install on a Linux

computer from the Centrify DirectControl CD, change to the
Unix directory:
cd Unix
Similarly, if you are installing on a Mac OS X computer, change

to the MacOS directory.
4 Run the install-express.sh script to start the installation of
Centrify DirectControl on the local computer’s operating
environment. For example:
./install-express.sh
The installation script runs a utility, adcheck, to verify that your

environment is configured properly to work with Centrify
DirectControl. You may see warning or error messages that may
require immediate attention or may be something that you can
fix after running the installation.
For example, you will see a warning message if your machine has
a version of OpenSSH that is not configured to work with
Centrify DirectControl. However, by default, the installation
script installs the DirectControl build of OpenSSH, which
corrects this problem, so in this case you do not need to correct
anything.
See “Troubleshooting adcheck errors” on page 38 for more
information about adcheck and how to fix any issues it uncovers.
5 Respond to the installation prompts as follows:
How do you want to proceed? (E|S|X|C|Q) [X]:

Accept the default, X (for Express Edition), by clicking Enter.
Do you want to run adcheck to verify your AD
environment? (Q|Y|N) [Y]:
Accept the default answer, Y (to run adcheck) by clicking
Enter.

Please enter the Active Directory domain to check:

Enter the fully qualified name of your AD domain; for example,
sales.acme.com.
Join an Active Directory domain? (Q|Y|N) [Y]

Accept the default answer, Y to join a domain.
Enter an authorized Active Directory user (one with permission
to add computers to the domain) and password at the following
prompts (see “Verifying account permissions” on page 26 for
information about the accounts required for installing
DirectControl and joining a domain); the default account, if you
do not enter one, is administrator:
Enter the Active Directory authorized user
[administrator]:
Enter the password for the Active Directory user:
Click Enter to select the defaults for the following prompts:

Enter the computer name: [QA1.sales.acme.com]
Enter the container DN [Computers]:
Enter the name of the domain controller [auto detect]:
Reboot the computer after the installation (Q|Y|N) [Y}:
You will see summation text similar to the following:

You chose Centrify Suite Express Edition and entered the
following:
Install CentrifyDC 4.4.0 package: Y
Install CentrifyDC-nis 4.4.0 package: N
Install CentrifyDC-openssh 4.3.1 package: Y
Install CentrifyDA 1.1.2 package: N
Run adcheck : Y
Join an Active Directory domain : Y
Active Directory domain to join : sales.acme.com
Active Directory authorized user : administrator
computer name : QA1.sales.acme.com
container DN : Computers
domain controller name : auto detect
Reboot computer : Y
6 After reviewing the choices you have made, enter Y and click
Enter.
When the installation is complete, the computer prepares to
reboot in 15 seconds if you specified to reboot after installation.

Go to “Verifying the installation” on page 37 to see how to verify
the installation.
Installing on Mac OS X by using the graphical user interface

This section explains how to install using the graphical user
interface. To install using the installation script, see “Installing the
agent by using the installation script” on page 28.
To install the Centrify DirectControl Agent on a Mac OS X
computer using the graphical user interface, complete the steps in
the following procedure:
Note Before launching the installer, be certain that the Apple
Directory Utility is closed. If it is open while running the
installer, it causes the Centrify DirectControl Directory Access
plug-in to show the incorrect status, that is, it shows that the
plug-in is disabled when in fact it is enabled.
1 Log on with the Administrator or root user account.
2 Navigate to the directory on the CD or your local network
where the Centrify DirectControl Agent package is located. For
example, if you are installing from the Centrify DirectControl
CD, open the MacOS directory.
3 Double-click the DMG file, for example:
centrifydc-release-mac10.4.dmg
4 Double-click ADCheck to open the ADCheck utility.
ADCheck performs a set of operating system, network, and

Active Directory checks to verify that the Mac OS X computer
meets the system requirements necessary to install the Centrify
DirectControl Agent and join an Active Directory domain.
5 Enter the domain you intend to join with the Mac OS X
computer and click AD Check.

Note The ADCheck utility has a set of options — see the

adcheck man page for details. You can specify options in the AD
Domain window along with the domain name. For example, to
run the network options only, and provide verbose output,
enter the following, then click AD Check:
-t net myDomain.com --verbose
You can also run ADCheck as a command-line utility in a terminal

window.
6 Review the results of the checks performed. If the target
computer, DNS environment, and Active Directory
configuration pass all checks with no warnings or errors, you
should be able to perform a successful installation and join.
If you receive errors or warnings, correct them before
proceeding with the installation. See “Troubleshooting adcheck
errors” on page 38 for more information about adcheck and how
to fix any issues it uncovers.
7 Double-click CentrifyDC.pkg to open the Centrify
DirectControl Installer package.
8 Review the information on the Welcome page, then click

Continue; review or print the terms of the license agreement
and click Continue; then click Agree to agree to the terms of
the license agreement.
9 Select a volume for installing the Centrify DirectControl Agent,
then click Continue.
10 Click Install to begin installing the Centrify DirectControl
Agent
If you see the following warning box, click OK. If you did not
have Directory Utility running during the installation, you can
ignore the warning. If Directory Utility was open, you can quit

and restart it to show the correct status of the Centrify
DirectControl plug-in.
11 If prompted, enter the administrator name and password.

12 (Optionally) If the computer is not already joined to a domain,

you can choose to join the domain now or manually after
completing installation. To join now, enter a domain name.
Note You can click Show Advanced Options if you want to

specify additional options when joining a domain. See “Joining
the domain from Mac OS X computers” on page 42 for more
information about joining a domain, including advanced options.
13 Click Join Domain and enter the Active Directory user
(defaults to Administrator) and password for the domain when
prompted. The ADjoin dialog is configured to join in Express
Mode.
14 Click Close to close the installer.
15 (Optionally) Reboot the computer to stop and restart all
services.
the installation.

Using other programs to install DirectControl Agents
If you want to manually install a software package using a native
installation program instead of the Centrify DirectControl
installation script, you can follow the instructions in the
release-notes text file for the package or use another native
installation mechanism appropriate for the local operating
environment. For example, if your operating environment
supports another mechanism for installing and managing software
packages, such as the SMIT or YAST programs, you can use those
programs to install Centrify DirectControl software packages.
Note Centrify highly recommends that you use the installation
script to install Centrify DirectControl Express because the
installation automatically joins the computer to a domain, sets the
Agent to Express Mode, runs operating system, network, and
Active Directory tests to verify your environment, and installs the
Centrify OpenSSH package — all of which you have to do manually
if you use a native installer.
To install Centrify DirectControl using a native installation

program:
1 Log on as or switch to the root user.
2 If you are installing from a CD and the CD drive is not mounted
automatically, use the appropriate command for the local
computer’s operating environment to mount the cdrom device.
3 Copy the appropriate package for the local computer’s operating
environment to a local directory.
For example, if installing from the CD and the operating
environment is Enterprise Linux:
cp /cdrom/cdrom0/Unix/centrify-suite-2010-rhel3-i386.tgz .
If you aren’t sure which file to use for the local operating
environment, see the release-notes text file included in the
package.

4 If the software package is a compressed file, unzip and extract

the contents. For example, on Red Hat Linux:
gunzip -d centrify-suite-2010-rhel3-i386.tgz
tar -xf centrify-suite-2010-rhel3-i386.tar
5 Run the appropriate command for installing the package based

on the local computer’s operating environment. For example,
on Red Hat Linux:
rpm -Uvh centrifydc-release-rhel3-i386.rpm
If you aren’t sure which command to use for the local operating
environment, see the release-notes text file included in the
package.
Note You are not required to use the specific commands
described in the release-notes to install the software package
manually. If your operating environment has programs such as
the SMIT or YAST programs, you can use those programs to
install the Centrify DirectControl package.
6 Disable licensed features by running the adlicense --express
command:
adlicense --express
Note The native installer installs Centrify DirectControl in

full-featured mode; you must run the adlicense command to
change to Express Mode.
7 Join the domain by running the adjoin --workstation
command, which connects you to Auto Zone; see “Joining an
Active Directory domain” on page 40:
adjoin --workstation domainName
Note If you do not specify the --workstation option the join

will fail because adjoin will attempt to connect you to a specific
zone, which is not allowed in Express Mode — you must
connect to Auto Zone; see “Understanding Zones and Auto
Zone” on page 20.
8 (Optionally) Install the Centrify OpenSSH package; for
example:

rpm -Uvh centrifydc-openssh-release-rhel3-i386.rpm

the installation.
Verifying the installation

When a computer is joined to Active Directory, all Active
Directory users and groups defined for the forest, as well as any
users defined in a two-way trusted forest are valid users or groups
for the joined machine. Therefore, after running the installation
script, which installed the Centrify DirectControl Agent and joined
your computer to a domain, you can log in as any Active Directory
user.
1 Log in using an Active Directory user account.
When a user logs in for the first time, the system creates a
/home/userName directory.
2 Run the adinfo command to see information about the Active

Directory configuration for the local computer. You should see
output similar to the following:
Local host name: QA1
Joined to domain: sales.acme.com
Joined as: QA1.sales.acme.com
Pre-win2K name: QA1
Current DC: acme-dc1.sales.acme.com
Preferred site: Default-First-Site
Zone: Auto Zone
Last password set: 2009-11-12 12:01:31 PST
CentrifyDC mode: connected
Licensed Features: Disabled
Note that licensed features are disabled and that the zone is Auto
Zone, which essentially is a super zone for the entire forest.
Creating actual zones requires a licensed copy of Centrify
DirectControl.
The Linux or Mac OS X computer is now joined to a domain
exactly as any Windows machines in the domain. See Chapter 3,
“Using DirectControl Express,” for some of the ways Centrify

DirectControl Express simplifies administration of your Linux and

Mac OS X computers.
Locating Centrify DirectControl directories and files

When you complete the installation, the local computer will be
updated with the following directories and files for Centrify
DirectControl:
This directory Contains

/etc/centrifydc The Centrify DirectControl Agent configuration file
and the Kerberos configuration file.
/usr/share/centrifydc Kerberos-related files and service library files used
by the Centrify DirectControl Agent to enable group
policy and authentication and authorization
services.
/usr/sbin and /usr/bin Command line programs to perform Active
Directory tasks, such as join the domain and change
a user password.
/var/centrifydc No files until you join the domain. After you join the
domain, several files are created in this directory to
record information about the Active Directory
domain the computer is joined to, the Active
Directory site the computer is part of, and other
details.

You can run adcheck before, during, or after installation to verify
that your system is configured properly for Centrify
DirectControl. This utility performs three sets of checks that are
controlled by the following options:
-t os checks the operating system, disk size, and Perl and
Samba installations.
-t net checks DNS to verify that the local system is configured
correctly and that the DNS server is available and healthy.

-t ad includes the -t net checks and verifies that the domain
has a valid domain controller.
Correcting errors for the os check

The -t os option performs a series of checks that verify
operating-system basics for the machine on which you are installing
Centrify DirectControl. This option performs the following
specific checks:
OSCHK : Verify that this is a supported OS
PATCH : Linux patch check Pass
PERL : Verify perl is present and is a good version Pass
SAMBA : Inspecting samba installation
SPACECHK : Check if has enough disk space in /var /usr /tmp
The operating system checks are self-explanatory. If your computer

fails one of these checks, you need to upgrade the machine with a
new operating system version or patch, a new Perl or Samba
version, or free up sufficient disk space.
Note If you get a warning about your Samba installation, you can
install Centrify-enabled Samba as part of the DirectControl Express
installation.
Correcting warnings and errors for the net check

The -t net option performs a series of checks that verify DNS is
correctly configured on your local machine and that the DNS
server is running properly. There is also a check to verify that you
are running a supported version of OpenSSH.
Note A supported version of OpenSSH is automatically installed by
the installation script. If you get a warning about your OpenSSH
version before installation, you can ignore it.
This option performs the following specific checks:

NSHOSTS : Check hosts line in /etc/nsswitch.conf
DNSPROBE : Probe DNS server 192.168.43.130
DNSCHECK : Analyze basic health of DNS servers
WHATSSH : Is this an SSH that DirectControl works well with
SSH : SSHD version and configuration
Because Centrify DirectControl uses DNS to locate the domain

controllers for the Active Directory forest, the appropriate DNS

nameservers need to be specified in the local /etc/resolv.conf

file on each UNIX computer before the computer can join the
domain. If you receive errors or warnings from these checks, you
need to correct them before joining a domain. Each warning or
error message provides some help to resolve the problem.
Correcting errors for the ad check

The -t ad option locates each domain controller in DNS and then
does a port scan and DNS lookup of each. The checks for this
option also verify the global catalog and verify clock and domain
synchronization. The specific checks performed by this option are
as follows:
Note The-t ad option runs the -t net checks as well as the -t ad
checks.
DOMNAME : Check that the domain name is reasonable
ADDC : Find domain controllers in DNS
ADDNS : DNS lookup of DC centrify-mkdaze.mkline.local
ADPORT : Port scan of DC centrify-mkdaze.mkline.local
ADDNS : DNS lookup of DC centrify-mkdaze.mkline.local
GCPORT : Port scan of GC centrify-mkdaze.mkline.local
DCUP : Check DCs in mkline.local
SITEUP : Check DCs for mkline.local in our site
DNSSYM : Check DNS server symmetry
ADSITE : Check that this machine's subnet is in a site known by AD
GSITE : See if we think this is the correct site
TIME : Check clock synchronization
ADSYNC : Check domains all synchronized
If you receive errors or warnings from these checks, you need to

correct them before joining a domain. Each warning or error
message provides some help to resolve the problem.

When you install the Centrify DirectControl Agent on a UNIX
computer, you can automatically join that computer to an Active
Directory domain by selecting the option to do so in the Centrify
DirectControl installation script, install-express.sh.
However, if you don’t join the domain when you run the
installation script, or if you leave a domain for any reason and want

to rejoin, you can manually join a domain by using the adjoin
command.
When using Centrify DirectControl Express, you can only connect
to a domain through Auto Zone, not by connecting to a specific
zone. Connecting to a zone requires Centrify DirectControl
licensed features. To connect to Auto Zone, you use the adjoin
--workstation option.
Note On the Mac OS, joining the domain and configuring your
environment is slightly different than on other platforms.
Therefore, you should follow the steps in the section “Joining the
domain from Mac OS X computers” on page 42 to join an Active
Directory domain when the Centrify DirectControl Agent is
installed on Mac OS X computers.
To join an Active Directory domain manually on a Linux or UNIX

computer:
1 On the UNIX computer, log in as or switch to the root user.
2 Run adjoin to join an existing Active Directory domain. You
should join the domain using a fully-qualified domain name. You
must specify the --workstation option.
For example, to join the sales.acme.com domain with the user
account dylan:
adjoin --user dylan --workstation sales.acme.com
The user account you specify must have permission to add

computers to the specified domain. In some organizations, this
account must be a member of the Domain Admins group. In
other organizations, the account simply needs to be a valid
domain user account. If you don’t specify a user with the --user
option, the Administrator account is used by default.
3 Type the password for the specified user account.
If Centrify DirectControl can connect to Active Directory and join
the domain, a confirmation message is displayed. All Active
Directory users and groups defined for the forest, as well as any

users defined in a two-way trusted forest are valid users or groups

for the joined machine.
Joining the domain from Mac OS X computers

You can use either the ADJoin GUI utility or the adjoin command
line tool to join a domain. This section shows how to use ADJoin
GUI utility, which is specific to Mac OS X. For information on
adjoin, see the DirectControl Administrator’s Guide, or the man page
for adjoin.
To start the Centrify DirectControl program for joining or leaving
a domain:
1 Click Applications > Utilities > Centrify > Adjoin. Then
double-click Adjoin to open it.
2 Type the name of the Active Directory domain you want to join
and select Auto Zone.
You can also type a different computer name if you want to use
a different name for the local host in Active Directory. Check
Overwrite existing joined Computer to overwrite the
information stored in Active Directory for an existing computer

account with the same name as the local computer. This is the
same as running the adjoin command with the --force option.
If you want to use the default settings for joining the domain, you
can continue to the next step. If you want to specify additional
options, click Show advanced options to display the
additional options:

Select this option To do this

Container DN Specify the distinguished name (DN) of
the container or Organizational Unit in
which you want to place this computer
account.
By default, computer accounts are
created in the domain’s default
Computers container.
If you want to specify a container, check
this option, then type the DN without its
domain suffix. For example, if the
domain suffix is acme.com and you
want to place this computer in the
paris.regional.sales.acme.com
organizational unit, you would type:
ou=paris, ou=regional,
ou=sales
Checking this option is the same as
running the adjoin command with the
--container option.
Preferred Domain Server Specify the name of the domain

controller to which you prefer to
connect. You can use this option to
override the automatic selection of a
domain controller based on the Active
Directory site information.
--server option.
Computer Alias Name Specify an alias name you want to use

for this computer in Active Directory.
This option creates a Kerberos service
principal name for the alias and the
computer may be referred to by this
alias.
--alias option.

Select this option To do this
Do not update PAM and Indicate that you do not want to update
DirectoryService configuration the local system’s PAM and
DirectoryService configuration.
If you don’t want to have the PAM files
and DirectoryService configuration
updated automatically, check this
option.
--noconf option.
For more information about these options, see “Using adjoin” on

page 80.
3 The Disable Licensed Features button turns off licensing
for DirectControl on the local computer, making it an Express
installation. For a Standard Centrify Suite 2010 installation, you
can ignore this button. See the Centrify Suite Express Edition
Administrator’s Guide for complete information on installing and
configuring Centrify DirectControl Express.
4 Click Join Domain.
5 Type the Active Directory user name and password for a user
with permission to join the local computer to the Active
Directory domain, then click OK.

6 Type the user name and password for the local Administrator
account.
Restarting services after installing or joining the domain

You may need to restart some services on UNIX computers where
you have installed the Centrify DirectControl Agent so that those
services will reread the name switch configuration file. For
example, if you typically log on to the UNIX computer through a
graphical desktop manager such as gdm, you need to either restart
the gdm service or reboot the workstation to force the service to
read the updated configuration before Active Directory users can
log on. The most common services that need to be restarted are
sshd and gdm. If you are using these services, you should restart
them. For example, to restart sshd:
/etc/init.d/sshd restart
As an alternative to restarting individual services, you may want to

reboot the system to restart all services.
Note Because the applications and services on different servers may
vary, Centrify recommends you reboot each system to ensure all of
the applications and services on the system read the Centrify
DirectControl configuration changes at your earliest convenience.

To take full advantage of all Centrify DirectControl features,
including the ability to create zones and apply group policies, you
need to run a generally-licensed version of the product.

To upgrade to a generally-licensed version of Centrify
DirectControl, complete the following steps:
1 Obtain a license or download an evaluation copy from the
centrify.com Website.
2 On a Windows machine that is joined to the domain, run the
Centrify Suite 2010 setup program to install the Centrify
DirectControl Management Tools.
3 On the UNIX machine that is running Centrify DirectControl
Express, run the following command to enable licensed features,
and if successful, you will see a message about group policies:
adlicense --licensed
Group policies will be initialized on background
4 Run a command similar to the following to verify that licensing

has been enabled:
adinfo
Local host name: qa1
Joined to domain: acme.com
Joined as: qa1.acme.com
Pre-win2K name: qa1
Current DC: acme-dc1.acme.com
Zone: Auto Zone
Licensed Features: Enabled
5 After enabling licensed features, the computer is still connected

to Auto Zone. To connect to a specific zone, you must leave,
then rejoin the domain:
adleave
Active Directory password:***
...
Left Active Directory domain
Centrify DirectControl stopped.
adjoin acme.com
If you do not specify a zone, as in this example, you are

automatically connected to the default zone. If you have already

created zones, you can specify a zone on the command line; for
example, to connect to the Finance zone:
adjoin -z Finance acme.com
You may also move a computer to a different zone by using the

DirectControl Console. See the Administrator’s Guide for details.
See the Centrify DirectControl Administrator’s Guide and the Planning
and Deployment Guide for information about creating and managing
zones, using group policy, and other Centrify DirectControl
features.
Although enabling licensing gives you access to all DirectControl
features, the Express installation does not install all optional
packages, such as CentrifyDC NIS or DirectAudit. To install
additional DirectControl packages, rerun the installation script as
described in the next section, Updating the Express installation.

To update from an Express installation to a full Centrify
DirectControl product, you can simply turn on licensed features as
explained in “Adding generally-licensed features” on page 46.
However, certain optional Centrify DirectControl packages are not
installed by the Express installation. To add these packages, you
must rerun the installation script, as follows:
1 Change to the appropriate directory on the CD or to the
directory where you have copied or downloaded the Centrify
DirectControl package. Then run the installation script that you
used originally to install Centrify DirectControl:
install.sh
Alternately, you can download and unzip a new DirectControl

package and run it’s installation script.
2 You are prompted whether to keep, erase, or reinstall the
currently installed packages (CentrifyDC and Centrify
openSSH) whether to install specific new packages. Accept the

default (K, keep) for the currently installed packages, and
specify yes (Y) for the packages you want to add; for example,
Centrify DirectControl NIS and DirectAudit.
For the following prompt, type Y and press Enter to enable
licensed features. Be certain that you have installed the Centrify
DirectControl Console on a Windows machine and have an
available license.
Enable licensed features? (Q|Y|N) [Y]:
You can also choose to run adcheck, enable auditing (if you
installed DirectAudit), and reboot the computer after
installation.
The computer remains joined to the domain you previously
joined and your existing /etc/centrifydc/centrifydc.conf
file is backed up and any modifications you have made to the file
are migrated to the new version of the file.
3 Restart running services, such as login, sshd, or gdm, (if you did
not reboot during installation) or reboot the computer to ensure
all services use the updated configuration. For example, you can
run the following command to stop running sessions:
pkill -1 sshd

On most Centrify DirectControl-managed systems, you can
remove the Centrify DirectControl Agent and related files by
running the uninstall.sh script. The uninstall.sh script is
installed by default in the /usr/share/centrifydc/bin directory
on each Centrify DirectControl-managed system.
To remove Centrify DirectControl on a Linux, UNIX, or
Mac OS X computer:
1 Log on to the computer where the Centrify DirectControl
Agent is installed.

2 Run the uninstall.sh script. For example:

/bin/sh /usr/share/centrifydc/bin/uninstall.sh
The uninstall.sh script will detect whether the Centrify

DirectControl Agent is currently installed on the local computer
and will ask you whether you want to uninstall your current
Centrify DirectControl installation.
3 To uninstall Centrify DirectControl, enter Y when prompted.
If you cannot locate or are unable to run the uninstall.sh script,
you can use the appropriate command for the local operating
environment to remove the Centrify DirectControl Agent and
related files. The following table summarizes the commands to use
in different environments:
To remove from Do this

Red Hat Linux Run the following command:
rpm -e centrifydc
SuSE Linux Run the following command:

rpm -e centrifydc
Debian Linux Run the following command:

dpkg -P centrifydc
Mac OS X You must use the uninstall.sh script to remove Centrify

DirectControl files on Macintosh computers.

Chapter 3
Using DirectControl Express

This chapter explains how to perform basic administrative tasks
with DirectControl Express.
Logging in to your computer
Applying password policies and changing passwords
Working in disconnected mode
Mapping local UNIX accounts to Active Directory
Setting a local override account
Using standard programs such as telnet, ssh, and ftp
Using Samba
Setting Auto Zone configuration parameters
Chapter 3 • Using DirectControl Express 51


When you install Centrify DirectControl Express on a computer
and join a domain, all users and groups defined in Active Directory
for the forest automatically become valid users and groups on the
machine. In addition, all Active Directory users defined in a forest
with a two-way, cross-forest trust relationship to the forest of the
joined domain, are also valid users for the machine.
To see a list of valid users, open Active Directory Users and
Computers (ADUC) on a Windows machine in the domain, then
navigate to domainName > Users.
Note By default, DirectControl transforms Active Directory names
into UNIX names in the form of a SAM name (short name in
Mac OS X); for example, jcool. You can specify a different form
for the UNIX name by setting the value of the
auto.schema.name.format parameter in the DirectControl
configuration file.
You log in to a computer exactly as you do locally by entering a

username and password. You do not have to specify the domain
name when you log in.
DirectControl accepts the following login formats:
AD username (samAccountName or Mac OS X short name) and
password
jcool
AD username@domain (userPrincipalName) and password

jcool@acme.com
NTLM style (domain\username) and password

mkline\jcool
mkline.com\jcool
When users are defined in a local forest, you can locate them in
Active Directory with any of the user login formats, that is, by their
UNIX profile name, their userPrincipalName, or their

samAccountName in the form of their user logon name alone or in
its full pre-Windows 2000 format of domainname\username.
Getting information about the Active Directory configuration

When logged in as an ordinary user or as the root user, you can use
the adinfo command to see information about the Active
Directory configuration for the local computer. For example:
adinfo
Local host name: QA1
Joined to domain: sales.acme.com
Joined as: QA1.sales.acme.com
Pre-win2K name: QA1
Current DC: acme-dc1.sales.acme.com
Zone: Auto Zone
Licensed Features: Disabled
Note that licensed features are disabled and that the zone is Auto
Zone.
Centrify DirectControl Standard Edition uses its zone technology
to provide secure, granular access control and delegated
administration for UNIX computers joined to a domain.
DirectControl Express, on the other hand, does not provide the
ability to create zones. When a computer joins a domain, it is
automatically joined to Auto Zone. This greatly simplifies the
process of joining a domain but does not provide the same granular
access control as defining and using zones does.
Auto Zone essentially is one super zone for the forest. With Auto
Zone, UNIX attributes that would be defined in the zone to which
the UNIX machine is joined (with Centrify DirectControl Standard
Edition) are derived from user attributes in Active Directory, or
from DirectControl configuration parameters.


Centrify DirectControl enforces all of the password policies you
have defined in Active Directory for the UNIX accounts you
enable. Therefore, if you create a new UNIX user account that
requires a password change the next time the user logs on, the user
is prompted to change the password the next time she logs on to
either a Windows or UNIX computer.
When the user provides a new password, Centrify DirectControl
checks the new password to make sure it conforms to Active
Directory policies for length and complexity. If the new password
meets all of the criteria, the account is updated with the new
information in Active Directory and the user logs on successfully.
Centrify DirectControl also enforces the password expiration
period, the password reuse policy, account lock out policy,
workstation restrictions, and logon hour restrictions if you have
defined these policies for any user account. In addition, Centrify
DirectControl displays a warning message on the UNIX computer
if a user’s password is about to expire.
Administrators can set, reset, or change the password for users
using Active Directory or from the UNIX command line.
Individual users can also change their own password at any time
using the adpasswd command.
Changing your own password

If you attempt to log in but your password has expired, you are
prompted to provide your old password, a new password, and to
confirm your new password. You can also change your own
password at any time using adpasswd.
To change your own password using adpasswd:
1 At the UNIX command line, run the following command:
adpasswd

2 Type your old password. When changing your own password,
you must always provide your old password.
3 Type the new password. The password should conform to
Active Directory password policies.
4 Retype the new password.
For more information about using adpasswd, see the adpasswd man
page or “Using adpasswd” on page 104.
Changing another user’s password

The adpasswd command can be used to change the password of
another Active Directory user if you provide the user name and
password of an administrative account with the authority to change
another user’s password.
To change the password for another user using adpasswd:
1 At the UNIX command line, run the adpasswd command and
specify an Active Directory administrative account name with
the authority to change the password for users in the domain. For
example, to use the admin user account to change the password
for the user jane in the sales.acme.com domain:
adpasswd --adminuser admin@acme.com jane@sales.acme.com
2 Type the password for the administrative account. For example:

Administrator password: xxx
3 Type the new password for the user specified. Because you are
changing another user’s password, you are not prompted for an
old password. For example:
New password:
4 Retype the new password.

Repeat password:
For more information about using adpasswd, see the adpasswd man
page or “Using adpasswd” on page 104.


Once an Active Directory user logs on to a UNIX computer
successfully, the authentication is cached by the Centrify
DirectControl Agent. These credentials can then be used to
authenticate the user in subsequent log on attempts if the user is
disconnected from the network or an Active Directory domain
controller is not available.
If there are changes to an account while the account is running in
disconnected mode, the changes don’t take effect until the user
reconnects to Active Directory to start a new session or access a
new service. For example, if a user account is disabled or has its
password changed in Active Directory while the user is
disconnected from the network, the user can still log on and use
the old password until reconnected to the network. Once the user
reconnects to Active Directory, the changes take effect and the user
is denied access or prompted to provide an updated password.
Because changing the password for an Active Directory account
requires a connection to an Active Directory domain controller,
users cannot change their own Active Directory password when
working in disconnected mode.
Note If users log out of a session while disconnected from Active
Directory, they can be authenticated using the information in the
cache when they log back on because they have been successfully
authenticated in a previous session. They cannot, however, be
authenticated automatically to any additional services after logging
back on. To enable automatic authentication for additional services,
the user’s credentials must be presented to the Key Distribution
Center (KDC) then issued a ticket that can be presented to other
services for unprompted, single sign-on authentication. Because the
KDC is unavailable when disconnected from Active Directory,
single sign-on authentication is also unavailable.
You can configure many aspects of how credentials are handled,

including how frequently they are updated or discarded, through

Centrify DirectControl parameter settings in the Centrify
DirectControl configuration file.
To configure how credentials are handled across multiple
computers by using group policies, upgrade from Express to
Centrify DirectControl Standard or Enterprise Edition.

By default, local UNIX user accounts are still valid on the UNIX
computers that join the Active Directory domain. You can then use
Centrify DirectControl configuration parameter settings to control
any special handling for select accounts. For example, you can use
configuration parameters to map a local user account to an Active
Directory account. Mapping a local UNIX user account to an
Active Directory account gives you Active Directory-based control
over password policies, such as password length, complexity, and
expiration period.
Mapping a local account to Active Directory is especially useful if
you want to migrate an existing local user to an Active Directory
account but preserve access to their current Linux or Mac OS X
home directory and files. For example, if you create an Active
Directory account for an existing local user but specify a different
name, when the user logs in, they will have a new home directory
and will not be able to access their former home directory and files.
To map a local account to an Active Directory account, you can set
the pam.mapuser.username configuration parameter on any
individual local computer.
To configure account mapping across multiple computers by using
group policies, upgrade from Express to a generally-featured
version of Centrify DirectControl.
Using the pam.mapuser parameter to map local accounts

To map a local user account to an Active Directory user by
modifying the Centrify DirectControl configuration file:

1 Create the Active Directory user account to use.
On your Windows Active Directory computer, open Active

Directory Users and Computers (ADUC). Navigate to the Users
node, right click and select New > User.
Enter the information for the user. You can create any name you
want for the user, but if you want the AD user to have access to
the same home directory and files as the local user, create a user
logon name with the same name as the local user; for example,
for local user joe.cool on the qa2 computer, in the acme.com
domain:
[joe.cool@qa2 ~]$
2 On the Linux or Mac OS X computer, open the Centrify

DirectControl configuration file
/etc/centrifydc/centrifydc.conf.
3 Locate the pam.mapuser.root configuration parameter and

un-comment the line to change the default setting.
4 Modify the local account mapping to identify the local user
account you want mapped to the Active Directory user you
created; for example:

pam.mapuser.joe.cool: joe.cool
5 Save the changes to the configuration file, then run the adreload
command to reload the configuration file and have the changes
take effect.
Setting a local override account

In most cases, every computer should have at least one account that
can be authenticated locally to ensure you can access the system
when the network or Active Directory is not available or Centrify
DirectControl is not running. By default, the local override account
is set to the root user so that even if you map the root account to
an Active Directory account, you can always log on locally using
root@localhost and the local root account password.
You can change the default root override account or add additional
local users by modifying the computer’s Centrify DirectControl
configuration file.
To configure a local override account across multiple computers by
using group policies, upgrade from Express to Centrify
DirectControl Standard or Enterprise Edition.
Using standard programs such as telnet, ssh, and ftp

When a computer is managed by DirectControl, authorized users
use standard programs and services such as telnet, ssh, and ftp.
Using telnet and ftp are straight-forward operations. See
Appendix D, “Using DirectControl with SSH,” for detailed
information on how to set up and use SSH.
Using Samba
DirectControl Express includes a special Samba package,
DirectControl-enabled Samba, that combines DirectControl with

Using Samba
Samba file server technology to enable DirectControl and Active

Directory to handle identity management and user credentials,
such that Active Directory users on Windows or UNIX computers
can access Samba shares across the enterprise.
See the Samba Integration Guide for details on integrating Samba and
DirectControl.
Using DirectControl Express with an existing Samba

installation
If you are using a non Centrify-enabled version of Samba
(configured as an AD domain member) and install DirectControl
Express on the same UNIX host, two problems arise:
Samba and DirectControl both attempt to create and manage
the same AD computer account object (based on the UNIX host
name) causing one of the products to stop working.
Conflicting UIDs and GIDs will be assigned to the same AD
users and groups because the algorithms for generating these
values differ between Samba and DirectControl, leading to file
ownership confusion and access control problems.
To address these issues, you can install Centrify-enabled Samba,
which integrates DirectControl and Samba to exist harmoniously
on the same UNIX machine.
NotesDue to the lack of zones in DirectControl Express, You

cannot migrate existing Samba generated UID’s and GIDs to
DirectControl. Although it is possible to manually convert the
Samba generated UIDs and GIDs to the same IDs generated by
Centrify, currently, Centrify provides no tools to help with this
process.
On the other hand, if you upgrade to a generally-featured version of
DirectControl, Centrify-enabled Samba provides a PERL
configuration script that helps migrate existing UIDs and GIDs to
DirectControl zones.

DirectControl provides a set of configuration parameters
specifically for computers that are connected to a domain through
Auto Zone, which is how all computers with DirectControl
Express are connected to a domain.
Because Auto Zone is essentially one large zone for the forest, you
can encounter problems such as UID and GID conflicts, slow
searches because of the number of users, and so on in a forest with
a large number of domains.
In general, the default values should work, but if you encounter
problems, such as slow searches or UID conflicts, see Appendix B,
“Customizing Auto Zone configuration parameters,” for
information on how to set specific parameters to resolve the issue.


Chapter 4
Troubleshooting
This chapter describes how to use diagnostic tools and log files to
retrieve information about the operation of Centrify DirectControl
and to identify and correct problems within your environment.
Understanding diagnostic tools and log files
Configuring logging for Centrify DirectControl
Collecting diagnostic information
Working with DNS, Active Directory, and DirectControl
Understanding diagnostic tools and log files

Centrify DirectControl includes some basic diagnostic tools and a
comprehensive logging mechanism to help you trace the source of
problems if they occur. These diagnostic tools and log files allow
you to periodically check your environment and view information
about Centrify DirectControl operation, your Active Directory
connections, and the configuration settings for individual UNIX
and Linux computers.
Although Centrify DirectControl logging is not enabled by default
for performance reasons, log files provide a detailed record of
Centrify DirectControl activity. This information can be used to
analyze the behavior of adclient and communication with Active
Directory to locate points of failure. However, log files and other
diagnostic tools provide an internal view of operation and are
primarily intended for Centrify DirectControl experts and
technical staff.
In most cases, you should only enable logging when you need to
troubleshoot unexpected behavior, authentication failure, or
Chapter 4 • Troubleshooting 63
problems with connecting to Active Directory or when requested

to do so by Centrify Technical Support. Other troubleshooting
tools, such as command line programs, can be used at any time to
collect or display information about your environment.

By default, Centrify DirectControl logs errors, warnings and
informational messages in the UNIX syslog and
/var/log/messages files along with other kernel and program
messages. Although these files contain valuable information for
tracking system operations and troubleshooting issues, occasionally
you may find it useful to activate Centrify DirectControl-specific
logging and record that information in a Centrify DirectControl
log file.
Enabling logging for the Centrify DirectControl Agent

To enable Centrify DirectControl logging on the Centrify
DirectControl Agent:
1 Log in as or switch to the root user.
2 Run the addebug command:
/usr/share/centrifydc/bin/addebug on
Note You must type the full path to the command because
addebug is not included in the path by default.
Once you run this command, all of the Centrify DirectControl

activity is written to the /var/log/centrifydc.log file. If the
adclient process stops running while you have logging on, the
addebug program records messages from PAM and NSS requests
in the /var/centrifydc/centrify_client.log file. Therefore,
you should also check that file location if you enable logging.
For performance and security reasons, you should only enable
Centrify DirectControl logging when necessary, for example,

when requested to do so by Centrify Technical Support, and for
short periods of time to diagnose a problem. Keep in mind that
sensitive information may be written to this file and you should
evaluate the contents of the file before giving others access to it.
When you are ready to stop logging activity, run the addebug off
command.
Setting the logging level

You can define the level of detail written to the log by setting the
log configuration parameter in the Centrify DirectControl
configuration file:
log: level
With this parameter, the log level works as a filter to define the
type of information you are interested in and ensure that only the
messages that meet the criteria are written to the log. For example,
if you want to see warning and error messages but not
informational messages, you can change the log level from INFO to
WARN. By changing the log level, you can reduce the number of
messages included in the log and record only messages that indicate
a problem. Conversely, if you want to see more detail about system
activity, you can change the log level to INFO or DEBUG to log
information about operations that do not generate any warnings or
errors.
You can use the following keywords to specify the type of
information you want to record in the log file:
Specify this level To log this type of information

FATAL Fatal error messages that indicate a system failure or other
severe, critical event. In addition to being recorded in the
system log, this type of message is typically written to the
user’s console. With this setting, only the most severe
problems generate log file messages.
ERROR System error messages for problems that may require
operator intervention or from which system recovery is not
likely. With this setting, both fatal and less-severe error events
generate log file messages.
Specify this level To log this type of information

WARN Warning messages that indicate an undesirable condition or
describe a problem from which system recovery is likely. With
this setting, warnings, errors, and fatal events generate log
file messages.
INFO Informational messages that describe operational status or
provide event notification.
Logging details for a specific component

By default, when you specify a logging level, it applies to all of the
Centrify DirectControl components that log activity. The logging
system, however, provides a hierarchical organization of logical log
names for the components within DirectControl and each of these
logical logs can be configured to provide more targeted analysis of
it specific operations. For example, if you set your base logging
level to only report serious errors but you want to see
informational, warning, and error messages for adclient, you can
add a separate logging level parameter for the log messages
generated by adclient:
# Use the following setting to set the base level of detail
# for logging to record Error messages:
log: ERROR
# Add the name of the adclient logical log and specify the
# logging level to use for it and its children:
log.com.centrify.adclient: INFO
Logging to the circular in-memory buffer

If the Centrify DirectControl Agent’s adclient process is
interrupted or stops unexpectedly, a separate watchdog process
(cdcwatch) automatically enables an in-memory circular buffer that
writes log messages passed to the logging subsystem to help
identify what operation the adclient process was performing
when the problem occurred. The in-memory buffer is also mapped
to an actual file, so that if there’s a system crash or a core dump, the
last messages leading up to the event are saved. Messages from the

in-memory circular buffer have the prefix _cbuf, so they can be
extracted from a core file using the strings command.
The in-memory circular buffer allows debug-level information to
be automatically written to a log file even if debugging is turned
off. It can be manually enabled by restarting the adclient process
with the -M command line option. The default size of the buffer is
128K, which should be sufficient to log approximately 500
messages. Because enabling the buffer can impact performance,
you should not manually enable the circular buffer or modify its
size or logging level unless you are instructed to make the changes
by Centrify Support.
Collecting diagnostic information

You can use the adinfo command to display or collect detailed
diagnostic and configuration information for a local UNIX
computer. Options control the type of information and level of
detail displayed or collected. The options you are most likely to use
to collect diagnostic information are the --config, --diag, or
--support options, which require you to be logged in as root. You
can redirect the output from any adinfo command to a file for
further analysis or to forward information to Centrify Technical
Support.
For more information about the options available and the
information returned with each option, see “Using adinfo” on
page 120.
To display the basic configuration information for the local UNIX
computer, you can type:
adinfo
If the computer has joined a domain, this command displays

information similar to the following:
Local host name: magnolia
Joined to domain: ajax.org
Joined as: magnolia.ajax.org
Current DC: ginger.ajax.org
Preferred site: Default-First-Site-Name
Zone: Auto Zone


Centrify DirectControl is designed to perform the same set of DNS
lookups that a typical Windows workstation performs to find the
nearest domain controller for the local site. This DNS lookup
enables the DirectControl agent to find domain controllers as they
become available on the network or as the computer is relocated to
another network location where different domain controllers are
present. DirectControl also uses DNS to find the Kerberos service
providers and the Global Catalog service providers for the Active
Directory forest.
In a typical Windows environment, the DNS server role is updated
dynamically to contain the service locator (SRV) DNS entries for
Active Directory’s LDAP, Kerberos, and Global Catalog services,
so this information in available for Centrify DirectControl to use.
However, there are some configurations of DNS that may not
provide all of the SRV records for the set of domain controllers that
provide Active Directory service to the enterprise. You may also
run into problems if DNS for the enterprise runs on UNIX servers
that cannot locate your Active Directory domain controllers. The
next sections describe how you can adjust DNS or DirectControl to
ensure they work together properly in your environment.
Configuring the DNS server role on Windows

One of the most common scenarios for running DNS in an
environment with Active Directory is to add the DNS server role
to a Windows domain controller or another Windows server.
If you are already using DNS in Active Directory and dynamically
publishing DNS service records, no additional configuration for
Centrify DirectControl should be necessary. If you are using DNS
in Active Directory but have disabled dynamic updates, you should

change the configuration for the DNS server role to allow dynamic
updates. Making this change will allow Centrify DirectControl to
properly locate domain controllers in the site and select an
appropriate new domain controller if a connection to its primary
domain controller is lost or the managed computer is moved to a
new location on the network.
Configuring DNS running on UNIX servers

If your environment is configured to use UNIX-based DNS servers
instead of Active Directory-based DNS servers and the UNIX
system is configured to use DHCP, the nameserver entry in
/etc/resolv.conf file is set automatically to point to a DNS
server.
If this DNS server is aware of the Active Directory domain you
want to join, no further changes are needed. If the DNS server
identified as a nameserver in the /etc/resolv.conf file is not
aware of the domain you are trying to join, for example, because
you are using a test domain or a separate evaluation environment,
you need to either disable DHCP or manually set the location of the
Active Directory domain controller in the Centrify DirectControl
configuration file.
Checking whether DNS can resolve the domain controller

In most cases, you can verify whether a UNIX computer can locate
the domain controller and related services by running the ping
command and verifying connectivity to the correct Active
Directory domain controller or by checking the nameserver entry
in the /etc/resolv.conf file. This nameserver entry should be the
IP address of one of the domain controllers in the domain you want
to join.
If the ping command is successful, it indicates the DNS server is
aware of the Active Directory domain you want to join and no
further changes are needed. If the ping command is not successful,
you will need to take further action to resolve the issue.
Resolving issues in locating Active Directory domain controllers

If the UNIX computer cannot find the Active Directory domain
controller, there are several ways you can resolve the issue.
Depending on your environment and specific situation, you should
consider doing one of the following:
Set up DNS on the target Active Directory domain controller
and the manually configure the nameserver entry in the
/etc/resolv.conf file to use that domain controller as
described in “Setting up DNS service on a target domain
controller” on page 70.
Set the Centrify DirectControl configuration file to manually
identify the domain controllers you want to use as described in
“Setting the domain controller in the configuration file” on
page 72.
Setting up DNS service on a target domain controller

One of the simplest ways to ensure that the UNIX computers can
locate the Active Directory domain controller and related services
is to use the DNS service on the Active Directory domain
controller as a DNS slave to the enterprise DNS servers. You can
do this is by configuring the DNS server role on the Active
Directory domain controller, then specifying that domain
controller in the UNIX computer’s /etc/resolv.conf file. You can
then add a forwarder to the local DNS on the domain controller
that will pass on all lookups that it cannot satisfy to an enterprise
DNS server.
This configuration does not require any changes to the enterprise
DNS servers. Any look up request from the domain controller is
simply a query from another computer in the enterprise. However,
the UNIX computers configured to use this slave DNS service will
receive the appropriate Service Location (SRV) records and Global
Catalog updates for the Active Directory domain controller. In
addition, the DNS service on the domain controller can be
configured to forward requests to the enterprise DNS servers so

those requests can be answered when the local DNS service cannot
respond.
Adding a DNS server role to an Active Directory domain controller

To configure the DNS service on a Windows Server 2003 domain
controller:
Note The specific steps for configuring the DNS server vary
depending on whether you are configuring a Windows 2000 Server
or a Windows Sever 2003 computer. The following steps describe
how to configure DNS on Windows Server 2003. If you are
configuring DNS on Windows 2000, you may want to consult your
Windows documentation for differences that are specific to your
environment.
1 Open the Start Menu and click Manage Your Server.

2 Click Add or remove a role, review the preliminary steps,
then click Next.
3 Select DNS Server from the list of Server Roles. If the DNS
Server role is not currently configured, click Next.
Note If this server role is already configured on this computer,
you can skip the next steps and go on to “Configuring UNIX to
use DNS service on the target domain controller” on page 72.
4 Review the summary of steps, then click Next to display the
Configure a DNS Server Wizard. Click Next to configure
the DNS server lookup zones.
5 Select the Create a forward lookup zone (recommended
for small networks) option, then click Next.
6 Select This server maintains the zone, then click Next.
7 Type the domain name (dn) component of the Active Directory
domain controller’s name, then click Next. In most cases, you
should specify a sub-domain of the top-level domain name. For
example, if the forest root domain for the organization is

acme.com, you might have a sub-domain of labs.acme.com.
8 Select the Allow both nonsecure and secure dynamic

updates option, then click Next.
9 Type the IP address for at least one of the enterprise DNS
servers, then click Next. Setting at lease one valid IP address
ensures that any request the local DNS server cannot answer will
be forwarded to a valid enterprise DNS server.
10 Click Finish to complete the configuration of the DNS server.
Once you have configured DNS on the local computer, the local
computer uses the local DNS server as its primary DNS server.
Configuring UNIX to use DNS service on the target domain controller

Once you have configured the DNS service to contain the required
Active Directory entries, you simply need to modify the UNIX
computer to send all DNS lookup requests to the newly configured
DNS server.
To configure the UNIX computer to use the new DNS server:
1 Open the /etc/resolv.conf file.
2 Set the IP address of the nameserver entry to the IP address of
the DNS server on the Active Directory domain controller you
just configured.
Setting the domain controller in the configuration file

If you are not able to use DNS to locate the Active Directory
domain controllers on your network, you can manually specify one
or more domain controllers in the Centrify DirectControl
configuration file.
To manually specify a domain controller, add the following entry to
the Centrify DirectControl configuration file,
/etc/centrifydc/centrifydc.conf:
dns.dc.domain_name: server_name [server_name ...]

For example, if you want to use Centrify DirectControl in a
domain called mylab.test and the domain controller for this
domain is dc1.mylab.test, you would add the following line to the
/etc/centrifydc/centrifydc.conf file:
dns.dc.mylab.test: dc1.mylab.test
Note You must specify the name of the domain controller, not its IP
address. In addition, the domain controller name must be resolvable
using either DNS or in the local /etc/hosts file. Therefore, you
must add entries to the local /etc/hosts for each domain controller
you want to use if you are not using DNS or if the DNS server
cannot locate your domain controllers.
To specify multiple servers for a domain, use a space to separate the

domain controller server names. For example:
dns.dc.mylab.test: dc1.mylab.test dc2.mylab.test
Centrify DirectControl will attempt to connect to the domain

controllers in the order specified. For example, if the domain
controller dc1.mylab.test cannot be reached, Centrify
DirectControl will then attempt to connect to dc2.mylab.test.
If the Global Catalog for a given domain is on a different domain
controller, you can add a separate dns.gc.domain_name entry to
the configuration file to specify the location of the Global Catalog.
For example:
dns.gc.mylab.test: dc3.mylab.test
You can add as many domain and domain controller entries to the
Centrify DirectControl configuration file as you need. Because the
entries manually specified in the configuration file override any site
settings for your domain, you can completely control
DirectControl’s binding to the domains in your forest through this
mechanism.
Note In most cases, you should use DNS whenever possible to
locate your domain controllers. Using DNS ensures that any
changes to the domain topology are handled automatically through
the DNS lookups. The settings in the configuration file provide a
manual alternative to looking up information through DNS for those
cases when using DNS is not possible. If you use the

manually-defined entries in the configuration file and the domain
topology is changed by an Active Directory administrator, you must
manually update the location of the domains in each configuration
file.
Using the fixdns script

Centrify DirectControl includes a fixdns script that you can use to
inspect your environment and make the necessary configuration file
changes for you.
To run this script, you need to specify the domain controller name
and IP address:
fixdns domain_controller_name IP_address
For example if you intend to join the domain mytest.lab and the
domain controller for that domain is dc1.mytest.lab and its
address is 172.27.20.1, you would run the following command:
fixdns dc1.mytest.lab 127.27.20.1
The fixdns script will then make the necessary changes to the
/etc/hosts and the DirectControl configuration file.
Note This script does not update the /etc/resolv.conf file. If the
script cannot locate the domain controller using the existing
/etc/resolv.conf settings, it will assume that you want to use
settings from the configuration file.

Appendix A
Using Centrify DirectControl UNIX

commands
This appendix provides an overview of the command line interface
and complete reference information for the command line
programs you can run on Centrify DirectControl-managed
systems.
Understanding when to use command line programs
Displaying usage information and man pages
Understanding common result codes
Using adjoin
Using adleave
Using adcheck
Using adlicense
Using adpasswd
Using adquery
Using adinfo
Using addebug
Using adfinddomain
Using adflush
Using adid
Using adclient
Using adcache
Using adreload
Appendix A • Using Centrify DirectControl UNIX commands 75


The UNIX command line programs are installed by default when
you install the Centrify DirectControl Agent on a computer. The
commands are typically installed in one of the following locations:
the /usr/sbin directory, the /usr/bin directory, or the
/usr/share/centrifydc/bin directory.
The command line programs allow you to perform basic Active

Directory administrative tasks directly from a UNIX shell or using a
shell script. These commands use the underlying Centrify
DirectControl service library to enable you to add a UNIX, Linux,
or Mac OS X computer to an Active Directory domain, leave the
Active Directory domain, and change Active Directory user
passwords, and return detailed Active Directory, network, and
diagnostic information for a host computer.
You should use the UNIX command line programs interactively or
in shell scripts when you must take action directly from a UNIX
computer, for example to join or leave a domain, or when taking
action from the UNIX computer is most convenient, for example
when individual users want to set new Active Directory passwords
from their UNIX login shell.
You use these commands to perform specific tasks, for example:
The most important command is the adjoin command. You
must use adjoin to add a UNIX computer to an Active
Directory domain, so it is the command you use first and run on
each UNIX computer.
You should use adleave if you want to remove a UNIX
computer from its current Active Directory domain or from the
Active Directory forest entirely.
You can use adpasswd to change an Active Directory account
password from a UNIX computer.
You can use adquery to retrieve information from Active
Directory for a user or group.

You can use adinfo to collect and display detailed diagnostic
and configuration information for a UNIX computer and its
Active Directory domain.
Displaying usage information and man pages

You can display a summary of usage information for any of the
UNIX command line programs by typing the command and the
--help or -h option. For example, to see usage information for the
adleave command:
adleave --help
The usage information displayed is a summary of the valid

command line options and required arguments and a brief
description of each option.
For more complete information about any command, you can
review the information in the command’s manual page. For
example, to see the manual page for the adleave command:
man adleave

All of the Centrify DirectControl command line programs share a
common set of return codes that describe the result of the
operation that the program attempted to perform. The following
table lists the result codes that are reserved for use by all of the
command line programs.
Result Error name Indicates

0 ERR_SUCCESS Successful completion of the
operation.
6 ERR_OTHERS Miscellaneous errors occurred
during the operation.


7 ERR_USAGES Usage error occurred during the
operation.
8 ERR_OP_ABORTED Operation aborted by user.
9 ERR_ROOT_PRIV Root privilege is required for the
operation.
10 ERR_NOT_JOINED Computer is not currently joined to
any Active Directory domain.
11 ERR_ALREADY_JOINED Computer is currently joined to an
Active Directory domain.
12 ERR_JOINED_ANOTHER_DOMAIN Computer is currently joined to
another Active Directory domain.
13 ERR_ADCLIENT_DOWN The adclient process is not
running or not available.
14 ERR_ADCLIENT_DISCONNECTED The adclient process is running
in disconnected mode.
15 ERR_ADLCIENT_STARTUP The adclient process failed to
start.
16 ERR_DNS_TIMEOUT The DNS server is not responding
and may be down.
17 ERR_DNS_GENERIC Generic DNS problem occurred
during the operation.
18 ERR_INVALID_DOMAIN_NAME The Active Directory domain name
is incorrect or not found in DNS.
19 ERR_INVALID_LOGON User name or password provided is
not correct.
20 ERR_ACCOUNT_DISABLED The account specified has been
disabled.
21 ERR_ACCOUNT_EXPIRED The account specified has expired.
22 ERR_ACCOUNT_EXISTS The account specified already
exists,
23 ERR_ACCOUNT_NOTFOUND The account specified was not
found in Active Directory.
24 ERR_PASSWORD_EXPIRED The account password has expired.

25 ERR_ZONE_NOTFOUND Unable to find the zone.
26 ERR_CONTAINER_NOTFOUND Invalid Active Directory container
object.
27 ERR_INSUFFICIENT_PERM The account specified does not
have sufficient permissions to
perform the operation.
28 ERR_CLOCK_SKEW The time difference between
system clocks is outside the
acceptable range.
29 ERR_COMPUTER_NAME Invalid computer account.
30 ERR_CRED_INVALID Invalid credentials.
31 ERR_SERVICE_TKT_INVALID The service ticket is not valid.
32 ERR_POLICY_NOT_MATCH Policy not matched.
33 ERR_REJECT_CHG_PASSWD Password change rejected.
34 ERR_WORKSTATION_DENY Workstation denied.
35 ERR_NOT_FIND_USER No matching user was found.
36 ERR_NOT_FIND_GROUP No matching group was found.
37 ERR_NOT_CONNECT_ADCLIENT An attempt to open a connection
to the adclient process failed.
38 ERR_ADLCIENT_STOP Unable to stop the adclient
process.
39 ERR_QUOTA_EXCEEDED The user has exceeded the number
of join operations allowed.
40 ERR_OPEN_FILE The attempt to open a file failed.
41 ERR_READ_FILE The attempt to read a file failed.
42 ERR_COPY_FILE The attempt to copy a file failed.
In addition to these common result codes, each program may also

provide one or more command- or operation-specific result codes.
Command-specific results are included in the command reference
section for individual command line programs.

Using adjoin
Using adjoin
The adjoin command adds the local host computer to the specified
Active Directory domain. The basic syntax for the adjoin program
is:
adjoin [options] domain
The domain name should be a fully-qualified domain name, for

example, sales.acme.com.
If the computer is already a member of another domain, you must
leave the old domain by running adleave to remove the computer
account from the old domain. Once you have left the old domain,
you can run adjoin to join the new domain.
Note To run adjoin, you must be logged in as root.
By default, when you run adjoin, the program performs the

following tasks:
Locates the domain controller for the specified domain and
contacts Active Directory.
Synchronizes the local computer’s time with Active Directory
to ensure the timestamp of Kerberos tickets is within the
acceptable time period to allow for authentication.
Checks whether a computer account already exists for the local
computer in Active Directory, and creates a new Active
Directory computer account for the computer, if needed.
Updates the Kerberos principal service names used by the host
computer, generating new /etc/krb5.conf and krb5.keytab
files and new service keys for the host and http services.
Sets the password on the Active Directory computer account to
a randomly-generated password. The password is encrypted and
stored locally to ensure Centrify DirectControl alone has
control of the account.
Starts the Centrify DirectControl daemon (adclient).

You may join to a specific zone, or if you do not specify a domain,
join the default zone, which Centrify DirectControl creates
automatically when you are running a licensed copy of
DirectControl. If you are running Centrify DirectControl Express
you can only join a domain through Auto Zone, not by connecting
to a specific zone. See “Understanding Zones and Auto Zone” on
page 20 for more information.
Setting valid options

You can use the following options with this command:
Use this option To do this

-u, --user Specify an Active Directory username
username[@domain] with sufficient rights to add a computer to
the specified domain and create new
computer accounts. For example,
depending on the security delegation
policies in place, you may need to specify a
user account with Domain Administrator
privileges. By default, however, any
authenticated Active Directory user can
join a computer to the domain.
You must use the username@domain
format to specify the user account if the
username is not a member of the domain
being joined.
Note When specifying
username@domain, you cannot use an
alternative UPN. You must use the domain
defined for your account.
If you do not specify the --user option,
the default is the Administrator user
account. Because this account has special
rights that can represent a security risk,
many organizations disable or restrict
access to it. Therefore, in most cases, you
should specify the --user option when
joining a domain.

Using adjoin

-p, --password userpassword Specify the password for the Active
Directory user account performing the join
operation. If you do not provide the
password at the command line, you are
prompted to enter the password before the
command executes.
Note Specifying a password at the
command line represents a security risk
because the password can be retrieved
while the command is running or from
command history after the command has
completed its execution.

-c, --container containerDN Specify the distinguished name (DN) of the
container or Organizational Unit in which
to place this computer account.
You can specify the containerDN by:
• Canonical name
(ajax.org/unix/services)
You cannot specify a partial name for the
canonical name.
• Fully distinguished name
(cn=services, cn=unix,dc=
ajax,dc=org)
• Relative distinguished name without the
domain suffix
(cn=services,cn=unix).
For example, to place the computer in the
UNIX/Services container within the
ajax.org domain using the canonical
name, you could specify:
--container
“ajax.org/UNIX/Services”
The DN you specify can refer to any
container within the directory but does not
need to include the domain suffix. The
domain suffix is appended to the
containerDN programmatically to
provide the complete distinguished name
for the object. For example, if the domain
suffix is acme.com, to place this computer
in the
paris.regional.sales.acme.com
organizational unit within the acme.com
domain, you would specify:
“ou=paris, ou=regional, ou=sales”
If you do not specify a container, the
computer account is created in the
domain’s default Computers container.
Note The container you specify must
already exist in Active Directory or the join
operation will fail. In addition, you must
have permission to add entries to the
specified container.

Using adjoin

-n, --name computername Specify the host name you want to use for
this computer in Active Directory. The
maximum length for computer account
names in Active Directory is normally 15 or
24 characters and some characters cannot
be used. For more information about
naming conventions in Active Directory,
see the Active Directory documentation.
If you do not specify a computername, the
computer account name in Active Directory
is the same as the local host name.
This option is most commonly used if you
have a disjointed DNS namespace. For
example, if the local UNIX host is a member
of the DNS zone ajax.org, but is joining
the Active Directory domain
emea.ajax.org, you can use this option
to join the domain with a computer name
that is different from the name of the
computer in DNS:
-n finserv.emea.ajax.org
This option can also be used in conjunction
with the --alias option if the computer
has multiple IP addresses and there are
DNS records for those addresses.

-N, --prewin2k accountname Specify the pre-Windows 2000 name for
this computer in Active Directory. The
pre-Windows 2000 name is the name
stored in the samAccountName attribute.
The maximum length for the
samAccountName attribute is 19
characters.
Note Although the actual limit is 19
characters, it is recommended that you
limit the name to 15 characters because
some Windows functions use this attribute
as a NetBIOS name, which has a
15-character limit. If the name is larger
than 15 characters, DirectControl must use
less efficient NTLM authentication
methods.
If you do not specify this option, the default
pre-Windows 2000 name is the computer
account name truncated at 15 characters.
This option enables you to manually
specify the pre-Windows 2000 name you
want to use.
This option is most commonly used if the
naming conventions for computer account
names result in names that are longer than
the 15 character limit.
-f, --force Overwrite the information stored in Active
Directory for an existing computer account.
This option allows you to replace the
information for a computer previously
joined to the domain. If there is already a
computer account with the same name
stored in Active Directory, you must use
this option if you want to replace the
stored information. You should only use
this option when you know it is safe to
force information from the local computer
to overwrite existing information.

Using adjoin

-a, --alias computeralias Specify an alias name you want to use for
this computer in Active Directory. This
option creates a Kerberos service principal
name for the alias and the computer may
be referred to by this alias. This option
would normally be used if a computer has
more than one Ethernet port and each port
is known by a different DNS name. You can
specify more than one --alias option if
you need to specify multiple aliases for a
single computer.
-z, --zone zonename Specify the name of the zone in which to
place this computer account. If you do not
specify a zone, the computer joins the
domain in the default zone (a zone named
“default” can be created when you run the
Setup Wizard for the first time).
Note If you are using the Express mode of
DirectControl, you cannot use this option.
You must join a domain through Auto Zone
by using the --workstation option.
If individual zone names are not unique
across the Active Directory forest, you can
use the canonical name of the zone to
uniquely identify the zone you want to join.
For example, if you have more than one
“default” zone, you can use the full
canonical name of the zone to specify
which “default” zone to join.
If you specify a zone name and the named
zone does not exist, the join operation fails.
Note If users and groups are unique across
the forest and not required to be
segregated into zones, you can join the
Active Directory domain by using the
--workstation option to connect to
Auto Zone instead of specifying a zone. The
--workstation and --zone options
are mutually exclusive.

-C, --noconf Indicate that you do not want to update
the local system’s PAM and NSS
configuration. If you set this option, you
will need to modify the PAM and NSS
configuration files manually to work with
the adclient daemon.
-s, --server Specify the name of the domain controller
domaincontroller to which you prefer to connect. You can use
this option to override the automatic
selection of a domain controller based on
the Active Directory site information.
-Z, --zoneserver Specify the name of the domain controller
domaincontroller to use for zone operations. You can use this
option, for example, if the zone is defined
in a different domain than the one you are
joining.
Note You cannot use this option when
using the Express deployment mode of
DirectControl.
-g, --gc domaincontroller Specify the name of the domain controller
to use for global catalog operations. You
can use this option if the default domain
controller is not writable or does not
support global catalog operations.
-T, --trust Set the Trust for delegation option in Active
Directory for the computer account.
Trusting an account for delegation allows
the account to perform operations on
behalf of other accounts on the network.
If you want to use this option, you should
clear the local cache on the client before
joining the domain.
-k, --des Set the computer account to use the Data
Encryption Standard (DES) for keys.

Using adjoin

-P, --precreate Precreate a computer account in Active
Directory without joining the domain. If
you use this option, you must also specify
the name of the computer account you
want to precreate using the --name
option.
The --precreate option does the
following:
• Creates a computer object in Active
Directory in the organizational unit you
specify or the Computers container.
• Resets the computer account password
to computer’s host name (in lower case).
• Creates an Extension object in the zone.
The following permissions are granted to
the computer object:
• Read and Write to:
operatingSystemServicePack,
operatingSystem, and
operatingVersion attributes in
Computer object.
• Reset the computer's password.
• Read userAccountControl
attributes of the Computer object.
• Validate write to:
servicePrincipalName and
dNSHostName attributes.
By precreating the computer account and
its serviceConnectionPoint, you can allow
any user to join the computer to a domain
without granting any special rights or
performing any zone delegation. This
option also enables you to create all the
computer accounts you want in a batch job
and automate how computers join the
domain.

-m, --compat Precreate a computer object that is
compatible with DirectControl version 2.x
and later. You must specify this option if
you want the precreated computer object
to be compatible with DirectControl
version 2.x and later.
-S, --selfserve Use the computer object’s account
credentials to join the domain.
DirectControl.
To use this option, you must have done one
of the following:
• Precreated the computer account in
Active Directory using the Pre-Create
Computer wizard.
• Previously joined the computer to a
domain, then left using the adleave
--reset option, which resets the
computer account to a precreated,
pre-joined state, such that you can rejoin
the domain using the --selfserve
option.
Note If you use the --selfserve option,
you don’t need to specify a zone for the
computer. The computer is automatically
made a member of the zone where the
precreated object was created. You must,
however, specify the Active Directory
domain to successfully add the computer
to the domain.
-V, --verbose Display information about each step in the
join process as it occurs. This option can be
useful in diagnosing join problems. This
option also writes log messages to the
centrifydc.log file for troubleshooting
purposes.
-v, --version Display version information for the
installed software.

Using adjoin

-w, --workstation Join the computer to an Active Directory
domain by connecting to Auto Zone rather
than by making the computer a member of
any specific zone.
When joined to Auto Zone, every Active
Directory user and group defined in the
forest and any users defined in a two-way
trusted forest are valid UNIX users or
groups. You can use this option when:
• Active Directory identities are unique for
the forest and trusted external forest.
• Active Directory users and groups only
require one set of properties for all
computers and do not need to be
segregated into zones for any reason.
For the join to be successful, all of the
domains in the forest and the trusted
external forest must be unique. If domains
are not unique across the forest trust, you
must manually configure a unique prefix
for each trusted domain using parameters
in the centrifydc.conf configuration
file.
Note The --workstation and --zone
options are mutually exclusively.
domain Specify the fully-qualified domain name
you want the local computer to join. There
is no default setting, so this argument is
required.
Examples of using adjoin

Joining a domain can be a very simple or fairly sophisticated
operation depending on the design of your Active Directory forest,
how you want to manage your UNIX systems, and the policies your
organization follows. The following examples illustrate some of the
options you can use when joining a domain.
When joining a domain using Centrify DirectControl Express, you
must use the --workstation option.

adjoin --workstation acme.com
If you want to join the sales.acme.com domain using a user

account that is not in that domain, using a specified host name and
Organizational Unit, you could type a command line similar to the
following:
adjoin --workstation --user jeff@acme.com --name orlando
--container “ou=UNIX computers” sales.acme.com
You are then prompted to provide the password for the user
jeff@acme.com. If the password is correct and the local computer
can successfully connect to Active Directory, a new computer
account is added to Active Directory using the computer name
“orlando” in the “UNIX computers” Organizational Unit.
Note When specifying username@domain to join a domain, you
cannot use an alternative UPN. For example, if your organization
uses an alternate UPN to allow you to log in as garcia@mission.org
but your account is actually defined in the sf.mission.org domain,
you must use that domain when specifying the user account. For
example:
adjoin --workstation --user garcia@sf.mission.org la.mission.org
Understanding the files modified by running adjoin

Running adjoin modifies several key files to complete the join
operation and configure your environment to work with Active
Directory for authentication, authorization, and directory services.
By default, the following files are modified by running adjoin:
Type On File location

Kerberos configuration file Most platforms /etc/krb5.conf
Solaris /etc/krb5/krb5.conf
Kerberos keytab file Most platforms /etc/krb5.keytab
Solaris /etc/krb5/krb5.keytab
NSS configuration file Most platforms /etc/nsswitch.conf

Using adjoin
Type On File location

PAM configuration file HPUX, Solaris /etc/pam.conf
Red Hat Linux /etc/pam.d/system-auth
All other Linux /etc/pam.d/*
LAM configuration file AIX /usr/lib/security/metho

ds.cfg
Login control file AIX /etc/security/user
In addition, the following files are created in the /var/centrifydc

directory by running adjoin or by starting the Centrify
DirectControl Agent for the first time:
Name Purpose
daemon This is the pipe which clients open to
communicate to the agent.
dc.cache Cache of objects from the Domain
Controller
gc.cache Cache of objects from the Global Catalog
dcdn.idx Cache index
extmgr.idx Cache index
gcdn.idx Cache index
gid.idx Cache index
gname.idx Cache index
search.idx Cache index
uid.idx Cache index
uname.idx Cache index
kset.domain The domain name
kset.domaincontroller The domain controller host name
kset.host The host name used to join
kset.schema The current schema version
kset.site The preferred site

Name Purpose
kset.zone The Zone GUID
kset.zonename Readable zone name
reg/*/*/* Group Policy registry files downloaded
from AD
Working in an environment without a global catalog

If you join a UNIX computer to a domain where there is no global
catalog available, users from other domains must use their
fully-qualified login name to be authenticated successfully.
Understanding join-specific result codes

Most of the common result codes described in “Understanding
common result codes” on page 77 apply to join operations. In
addition to those common codes, however, the adjoin command
can generate join-specific result codes when there are errors that
prevent a computer from joining a domain. The following table
lists these join-specific result codes.

156 ERR_JOIN_ATTRMAP The mapping of computer account
properties to Active Directory
attributes failed. If you encounter this
problem, you may need to map all
attributes, then rerun the adjoin
command.

Using adjoin

157 ERR_JOIN_UPDATE The computer failed to join the
domain. If you encounter this
problem, you may need to take
corrective action:
• Check whether the computer’s
hostname exceeds 15 characters. If
the hostname exceeds 15
characters, shorten it or use the
--name option to specify a name
that is 15 characters or less, then
rerun the adjoin command.
• Check whether the computer's
primary DNS suffix matches the
Active Directory domain DNS
name or another allowed primary
DNS suffix. If the DNS suffix does
not match the Active Directory
domain or is not an allowed
primary DNS suffix, you may need
to change the DNS or domain
configuration, then rerun the
adjoin command.
158 ERR_STRONGER_AUTH_NEEDED A stronger authentication method is

required by Active Directory. If you
encounter this problem, you should
set the LDAP traffic encryption
parameter,
adclient.ldap.packet.encrypt, to
Allowed or Required in the Centrify
DirectControl configuration file, then
159 ERR_UNEXPECTED_LDAP_REFERRAL There was an unexpected referral
response. This is usually caused by an
erroneous replication object in Active
Directory. If you encounter this
problem, you should check the zone
container for replication errors, then

160 ERR_SPN_NOT_UNIQUE The servicePrincipalName
(SPN) was not unique. Each SPN must
be unique across the Active Directory
forest. If you encounter this problem,
you should use a
servicePrincipalName that is
unique across the forest, then rerun
the adjoin command.
You can search for duplicate service
principal names using the Analyze
wizard.
161 ERR_SERVERNAME_INVALID The domain server was specified
using an IP address. If you encounter
this problem, you should specify the
domain controller name using a
fully-qualified DNS name.
162 ERR_CHANGE_DIR The attempt to change to the data
directory failed.
163 ERR_DOMAIN_NOT_TRUSTED The domain specified is not in the
same forest or is not a trusted
domain. If you encounter this
problem, you should check the trust
relationship for the domain or use a
different domain, then rerun the
adjoin command.
164 ERR_MULTIPLE_ZONES_FOUND Multiple zones were detected. If you

encounter this problem, you should
check the zones defined, then rerun
the adjoin command and specify
only one zone.
Using adleave
The adleave command removes the local host computer from its
current Active Directory domain. Once a computer has become a
member of a domain, you must run the adleave command to leave
that domain before you can move a computer to a new domain.

Using adleave
The basic syntax for the adleave program is:

adleave [options]
By default, when you run adleave, the program performs the

following tasks:
Contacts Active Directory and deactivates the computer
account associated with the local UNIX host. The program does
not remove the computer account from Active Directory. To
remove the computer account entirely, you must delete it from
Active Directory manually with Active Directory Users and
Computers.
Reverts any computer settings that were changed by the adjoin
command to their pre-adjoin condition. This includes
reverting PAM, NSS, and Kerberos configuration files to their
pre-join states, deleting the /var/centrifydc/* files, and
deleting /etc/krb5.keytab.
When you join a domain, the Kerberos configuration file,
/etc/krb5.conf, and keytab file, /etc/krb5.keytab, are
automatically generated for you. Because the /etc/krb5.conf
file can contain entries used by other applications, it is not
removed automatically when you leave a domain. If you leave
the domain, you should check whether this file is used by any
other applications or if it has been manually edited. If it is not
used by other applications, you can safely delete the file after
leaving the domain.
Stops the Centrify DirectControl daemon (adclient).
Note To run adleave you must be logged in as root.


-u, --user username[@domain] Identify an Active Directory user account
with sufficient rights to remove a
computer from the domain.
You must use the username@domain
format to specify the user account if the
username is not a member of the
computer's current domain. If you do not
specify the --user option, the default
is the Administrator user account.
-p, --password userpassword Specify the password for the Active
Directory user account performing the
leave operation. If you do not provide
the password at the command line, you
are prompted to enter the password
before the command executes.
command history after the command
has completed its execution.
-s, --server domaincontroller Specify the name of the domain
controller that you prefer to use to
disconnect from the domain. You can
use this option to override the automatic
selection of a domain controller based
on the Active Directory site information.
-Z, --zoneserver Specify the name of the domain
domaincontroller controller to use for zone operations. You
can use this option, for example, if the
zone is defined in a different domain
than the domain you are leaving.
DirectControl.

Using adleave

-C, --noconf Indicate that you do not want to revert
the local system's PAM and NSS
configuration files to their original state.
Normally, if you leave a domain, any
changes that have been made to the
PAM and NSS configuration files to work
with the adclient daemon during the
join operation are removed. If you set
this option to leave the file changes in
place, you should review the PAM and
NSS configuration files for potential
changes.
Note Be sure to review and, if necessary,
edit the PAM and NSS configuration files
before you use this option. If you don't
take precautions before using this
option, the computer may become
inoperable and require a reboot in single
user mode to fix the problem.
-f, --force Indicate that you want to force the local
computer’s settings to their pre-join
conditions even if the adleave
command cannot connect to Active
Directory or is not successful in
deactivating the Active Directory
computer account.
You must use this option if the Active
Directory computer account has been
modified or deleted so that the host
computer can no longer work with it.

-G, --nogp Indicate that you do not want to revert
any group policies applied to the
computer to their original state.
Note This option has no effect when
DirectControl as group policies are not
supported by Centrify DirectControl
Express.
Normally, if you leave a domain, any
group policy changes that have been
applied to UNIX configuration files are
reverted to restore the files to their
pre-join state.
-r, --remove Remove the computer account from
Active Directory.
-R, --restore Restore system configuration files to
their pre-join state without leaving the
domain.
-t, --reset Reset the computer account to its
precreated, pre-joined state.
This option resets the computer account
password to the hostname (in
lowercase) and disables the computer
zone object.
Specifying --reset allows you to leave
a domain, then rejoin using the adjoin
--selfserve option, which allows you to
specify machine credentials when
joining a domain. This option is valuable
for virtual, cloud-computing
environments that require the ability to
dynamically join and leave a domain.
installed software.
-V, --verbose Display detailed information for each
operation.

Using adleave
Examples of using adleave

Leaving a domain is a straightforward process that returns a
computer to its pre-join state. The following examples illustrate
the options you can use when leaving a domain.
To remove a computer from its current domain using the default
options and the Administrator user account, you could type a
command line similar to the following:
adleave
You are then prompted for the Active Directory Administrator

password.
To remove a computer from its current domain using a specific user
account and without reverting the PAM and NSS configuration files
to their pre-join state, you could type a command line similar to
the following:
adleave --user raj@acme.com --noconf
You are then prompted for the password for the user
raj@acme.com.
To revert all computer settings to their pre-join state even if unable

to deactivate the host computer's in Active Directory account, you
could type a command line similar to the following:
adleave --force
Understanding adleave-specific result codes

In addition to the common result codes described in
“Understanding common result codes” on page 77, the adleave
command can generate leave-specific result codes when there are
errors that prevent a computer from leaving a domain. The
following table lists these leave-specific result codes.

156 ERR_STOP_NIS_ADCLIENT The adleave command was unable to
stop the adnisd or adclient process. If
you encounter this problem, you may need
to manually stop the processes, then rerun
the adleave command.

157 ERR_DELETE_CONTENT The adleave command was unable to
delete all content.
158 ERR_LEAVE_FAILED The attempt to leave the domain failed. If
you encounter this problem, you may need
to rerun the adleave command with the
--force option.
159 ERR_CONNECT_DC The adleave command was unable to

connect to domain controller. If you
encounter this problem, you may need to
rerun the adleave command with the
--force option.
160 ERR_SYNC_TIME Time is not synchronized between the

local system clock and the domain
controller.
Using adcheck
The adcheck command can be used to perform operating system,
network, and Active Directory tests to verify that a machine is
ready to join the specified Active Directory domain. The domain
should be a fully-qualified domain name, for example,
sales.acme.com.
The output from adcheck includes, notes, warnings, and fatal

errors, including suggestions on how to fix them.
By default, adcheck performs the following tests:
Operating system check to verify that the operating system is
supported and at the correct patch levels, and that there is
sufficient disk space.
Network check to verify DNS and SSH.
Active Directory check to verify various aspects of the Active
Directory configuration, including the domain name, time and
domain synchronization, and checking up to 10 domain

Using adcheck
controllers (which can be extended by an adcheck parameter

for large domains).
Note The adcheck program is run automatically when you install
the Centrify DirectControl Agent by running the install.sh
program or the graphical-user-interface installer on a Mac OS X
platform.
To run adcheck you must be logged in as root.

The basic syntax for the adcheck program is:
adcheck [--alldc] [--siteonly] [--bigdomain number]
[--xml filename][--test os|net|ad]
[--servername domainController] [--verbose] [--version]


-a, --alldc Check all domain controllers. This option overrides
the --siteonly and --bigdomain options. The
--servername option overrides this option. If
you do not specify --alldc, --siteonly, or
--servername, adcheck checks the number of
domain controllers specified by the --bigdomain
option (default is 10).
-s, --siteonly Check all domain controllers for the first detected
site. This option overrides the --bigdomain
option. The --alldc and --servername
options override this option.
-b, bigdomain number Specify the number of domain controllers to check.
The default is 10. The --alldc --siteonly, and
--servername options override this option.
-x, --xml filename Specify the filename in which to generate XML

output.
-t, --test os|net|ad Run only one or two of the tests, as follows:
• os — Operating system check
• net — Network check
• ad — Active Directory check

-s, servername Specify the domain controller to connect to when
domainController performing the network checks. You can use this
option to override the automatic selection of a
domain controller based on the Active Directory
site information.
This option overrides the --alldc, --siteonly,
and --bigdomain options.
-V, --verbose Display diagnostic information about the host, the
domain, and the domain controller.
-v, --version Display version information for the installed
software.
Using adlicense
The adlicense command can be used to enable or disable licensed
features on a local computer.
If you execute adlicense with no options, it displays the current
mode, either licensed or express.
In licensed mode, a computer has access to group policies and may
join any existing zones.
In express mode (licensing is disabled) a computer may not
download or execute group policies and cannot join a zone. The
computer is automatically joined to Auto Zone.
To run adlicense you must be logged in as root.
The basic syntax for the adlicense program is:
adlicense [--licensed] [--express] [--verbose] [--version]

Using adpasswd


-l, --licensed Enable licensed features, including the ability to
use group policies and join a specific zone. After
you enable licensed features, the computer is still
joined to Auto Zone. You may keep the computer
joined to Auto Zone or join a specific zone, in which
case, you must first leave the zone with adleave,
then rejoin the domain with the adjoin --zone
command.
To enable licensing, you must have installed a valid
license key. Enabling licensing consumes a license.
-e, --express Disable licensed features. This option unmaps
group policies and prevents the machine from
joining any specific zones. The computer is
automatically joined to Auto Zone.
If you are running in licensed mode, and execute
adlicense --express to switch to Express
mode, a license is restored.
Note You cannot use this option if the machine is
currently joined to a zone. You must first leave the
domain, then connect to Auto Zone when rejoining
the domain.
-V, --verbose Display detailed information about the operation
performed.
software.
Using adpasswd
The adpasswd command changes the password for an Active
Directory user account. It can be used to change the password of
the current user executing the command or to change the password
of another Active Directory user. If you want to change the
password for any Active Directory account other than your own,

you must provide the user name and password of an administrative
account with the authority to change that user’s password.
The basic syntax for the adpasswd program is:
adpasswd [options] [user[@domain]]
If a user@domain is specified in the command line, you must

provide an administrative user name and password for an Active
Directory account with the authority to set passwords for other
Active Directory users. If a user@domain is not specified in the
command line, this command can only be used to change the
password for the current user account.
Because adpasswd allows a user to change his or her own password,
you do not need to be logged in as root to run this command.
Note Changing a user’s password with this command updates the
user’s Active Directory account. Once changed, the new password
must be used for all activities that are authenticated through Active
Directory, including logging on to the UNIX shell, logging on to
Windows computers, and accessing applications on both UNIX and
Windows.


-a, --adminuser Identify an Active Directory user account
adminuser[@domain] with sufficient rights to modify another
Active Directory user account.
You must use the adminuser@domain
format to specify the account if the
administrative user is not a member of
the host computer's current domain.
If you do not specify this option, the
default is the Administrator user
account.

Using adpasswd

-p, --adminpass adminpassword Specify the password for the Active
Directory administrative account when
changing another user’s Active Directory
password. If you do not provide the
prompted to enter the password before
the command executes. However, if
adpasswd detects Kerberos credentials,
it uses those for the command, and if
these credentials are not sufficient, you
receive an error message rather than a
prompt for a password.
-V, --validate Check the validity of a user’s password.
This option is used to verify whether a
specified user can log on with the
specified password.
-o, --oldpass oldpassword Specify the current password for the
Active Directory user account.
This option is only used when the user
executing the command is trying to
change the password for his own
account. This option is ignored if the
administrator is trying to change the
password for another user account.
If you are trying to changing your own
password and do not provide the current
prompted to enter the old password
before the command executes.

-n, --newpass newpassword Specify the new password for the Active
Directory user account. If you do not
provide the password at the command
line, you are prompted to enter the new
password and confirm the new
password by retyping it before the
command executes.
The new password must meet the Active
Directory domain password policy
requirements for length and complexity.
installed software.
user[@domain] Specify the Active Directory user account
for the password change. You must use
this option if you are changing another
Active Directory user’s account
password. You should not use this option
when changing your own account
password. If a user name is not specified,
the default is always the current user’s
account.
You must use the user@domain format
to specify the account if the user is not a
member of the host computer’s current
domain.
Examples of using adpasswd

In most cases, you use this command to change the password for
your own account. The following command illustrates how to
change the password for the current user account. It prompts for

Using adpasswd
the old and new passwords because they aren’t provided in the
command line:
adpasswd
Old password: xxx
New password: xxx
Repeat password: xxx
The following command illustrates changing the password for

another user account, jane@acme.com, which is in a domain outside
the host computer’s own Active Directory domain. Because this
example changes the password for another user, the command
specifies an Active Directory administrative account,
admin@acme.com, with the authority to change the password for
Jane’s account:
adpasswd --adminuser admin@acme.com jane@acme.com
You are then prompted for the administrator password and the
user’s new password because these values aren’t provided in the
command line.
Administrator password: xxx
New password for jane@acme.com: xxx
Repeat password: xxx
To check whether a user can log on with a specific password, you

can use the --validate option. For example:
adpasswd --validate pablo@acme.com
Password: xxx
If the user name and password are valid and can be authenticated by
Active Directory, a successful validation message is displayed. If the
user name and password specified cannot be authenticated, the
command displays a message indicating the authentication failure:
Password validate failed for user pablo
Account cannot be accessed at this time
Please contact your system administrator
Understanding adpasswd-specific result codes

“Understanding common result codes” on page 77, the adpasswd
command can generate command-specific result codes when errors

are encountered. The following table lists these command-specific
result codes.

156 ERR_PASSWDFILE_MISS The password could not be updated
because the passwd file could not be
found.
157 ERR_PASSWDFILE_BUSY The password could not be updated
because the passwd file was being used
by another program.
Using adquery
The adquery command enables you to query Active Directory for
information about users and groups from the command line on a
Centrify DirectControl-managed system. The options you can use
depend on whether you are looking up user information or group
information. You can look up information for a specific user or
group or for all of the users or groups in a zone.
The basic syntax for the adquery program is as follows:
adquery user|group [options] [username|groupname]
You can specify a single option in the command line to have the
information returned as one value per line suitable for use in
scripts. If you specify multiple options in the command line, the
information returned is formatted in a list with field labels
identifying each value.
Querying user information

You can use adquery user command to look up one or more
details about one or more specified users in Active Directory. If you
don’t specify any users in the command line, the command lists all
of the users in the zone.
The basic syntax for querying user information is:
adquery user [options] [username]

Using adquery
You can specify the username in any supported format. If the user
name includes any blank spaces, the name should be enclosed by
quotation marks. For example, if you want to specify an Active
Directory account name consisting of a first name and a last name,
you can type a command similar to the following:
adquery user --samname --enabled "Jae Park"
Setting valid options for user information

You can use the following options with the adquery user
command:

-h, --home Display the specified user’s home directory
or the home directory for all users in the
zone.
-g, --group Display the specified user’s primary group
identifier (GID) or the primary group
identifier (GID) for all users in the zone.
-G, --groups List the UNIX-enabled groups the user is a
member of.
-a, --adgroups List all of the Active Directory groups the
user is a member of. Active Directory
groups are listed by canonical name.
-s, --shell Display the user’s default shell.
-u, --uid Display the user identifier (UID) for the
specified user or for all users in the zone.
-p, --display Display the displayName attribute for
the user or for all users in the zone.
-o, --gecos Display the contents of the GECOS field for
the user or for all users in the zone.
-n, --unixname Display the UNIX login name for the
specified user or for all users in the zone.
-M, --samname Display the Active Directory logon name
for the specified user or for all users in the
zone.

-i, --sid Display the Active Directory security
identifier (SID) for the specified user or for
all users in the zone.
-P, --principal Display the Kerberos user principal name
(UPN) for the specified user or for all users
in the zone.
-S, --service Display the Kerberos service principal
name (SPN) for the specified user or for all
users in the zone.
-C, --canonical Display the Active Directory canonical
name for the specified user or for all users
in the zone.
-H, --hash Display the UNIX password hash for the
specified user if you are using password
synchronization between Active Directory
and DirectControl-managed computers.
You must be logged on as the root user or
querying Active Directory for your own
account information to retrieve the
password hash.
-x, --acct-expire Display the date the user account expires.
account information to retrieve this
information.
-w, --pwd-expire Display the date the current password for
the user account expires.
information.
-c, --pwd-nextchange Display the date after which the user may
change their password.
You must be either logged on as the root
user or be querying Active Directory for
your own account information to retrieve
this information.

Using adquery

-l, --pwd-lastchange Display the date of the last password
change for the user.
information.
-k, --locked Determine whether the Active Directory
account for the user is locked because of
failed attempts to log on.
information.
-d, --disabled Determine whether the Active Directory
account for the user has been disabled.
information.
-e, --enabled Determine whether the Active Directory
account for the user has been enabled for
UNIX access in the current zone.
-D, --dn Display the distinguished name (dn) for
the specified user or for all users in the
zone.
-W, --userWorkstations List the value of the user’s Active Directory
userWorkstations attribute, which
specifies the machines from which the
user may log into the domain. If the output
is blank, the user is not restricted to a
particular machine.
-A, --all List all of the information returned by the
other command line options for the user.
-F, --cache-first Read data from the cache rather than from
Active Directory. Only read from Active
Directory if an object has expired.

-r, --separator char Specify the separator character or string
(char) to use between fields. The default
separator between fields is a colon (:). For
example:
jae:uid:525
-R, --list-separator char Specify the separator character or string

(char) to use between the values in a list.
The default separator between values in a
list is a comma (,). For example:
jae:unixGroups:testlab,dev2
-f, --prefix Add the user’s UNIX user name as a prefix
when returning single values. This option
formats the information returned to
include the user’s UNIX name when you
are querying for a specific attribute, such
as the user’s UID or displayName.
This option is not necessary if you query
for multiple attributes in the command
line. If you query for multiple attributes,
the information returned is formatted with
the user’s UNIX name and a label
identifying each attribute by default.
-X, --extattr Display the list of extended attributes or
the value of a specified extended attribute.
Note Extended attributes are only
applicable on AIX computers.
You can use the keyword help to view a
list of the supported extended attributes.
For example:
adquery user --extattr help
To look up the value of a specific extended
attribute, include the name of the attribute
in the command line. For example, to look
up the value of the aix.rlogin extended
attribute:
adquery user -X aix.rlogin jae

installed software.

Using adquery
Querying group information

You can use adquery group command to look up one or more
details about a specified group or multiple groups in Active
Directory. If you don’t specify any groups in the command line, the
command lists all of the groups in the zone.
The basic syntax for querying group information is:
adquery group [options] groupname
You must use the canonical format for the group name if specifying
the Active Directory group name. For example, if you want to
specify the Active Directory group name, you can type a command
similar to the following:
adquery group “ajax.org/Users/TestExpert Team”
Setting valid options for group information

You can use the following options with the adquery group
command:

-m, --members List the UNIX members of the specified
group or of all groups in the zone.
-a, --admembers List the Active Directory members of the
specified group or of all groups in the
zone.
-s, --sammembers List Active Directory members of the
specified group or all groups in the form:
name@domain; for example,
jsmith@AJAX.COM
-g, --gid Display the group identifier (GID) for the
specified group or of all groups in the
zone.
-q, --required Display whether membership in the
specified group is required or not. For
more information about required
groups, see adsetgroups.
-n, --unixname Display the UNIX group name for the
group.

-M, --samname Display the Active Directory name for
the group.
-i, --sid Display the Active Directory security
identifier (SID) for the group.
-C, --canonical Display the Active Directory canonical
name for the group.
-D, --dn Display the distinguished name (dn) for
the group.
-A, --all List all of the information returned by
the other command line options for the
group.
If you use this option without specifying
a group name, the command lists details
for all of the groups in the zone.
-F, --cache-first Read data from the cache rather than
from Active Directory. Only read from
Active Directory if an object has expired.
-r, --separator char Specify the character or string (char) to
use as the separator between an
attribute name and its value. The default
separator between attributes and values
is a colon (:). For example:
unixname:qa-euro
-R,--list-separator char Specify the character or string (char) to

use as the separator between the values
in a list. The default separator between
values in a list is a comma (,). For
example:
unixGroups:unixdev,testexpe

Using adquery

-f, --prefix Add the UNIX group name as a prefix
when returning single values. This
option formats the information returned
to include the UNIX group name when
you are querying for a specific attribute,
such as the group GID or membership
list.
This option is not necessary if you query
for multiple attributes in the command
line. If you query for multiple attributes,
the information returned is formatted
with the UNIX group name and a label
identifying each attribute by default.
-t, --type Display the scope and group type for a
specified group. The valid group types
are:
• local security
• global security
• universal security
installed software.
Examples of using adquery

You can use adquery to return a specific value for a user or group
or to list multiple details about a user or group. The format of the
output depends on whether you specify a single attribute or
multiple attributes on the command line. For example, if you want
to see a complete list of details about the group unixdev, you
would type:
adquery group --all unixdev
This command returns the results for the unixdev group in the
following format:
unixname:unixdev
gid:400
required:false
dn:CN=Unix Developers,CN=Users,DC=ajax,DC=org
groupType:global security
samAccountName:Unix Developers

sid:S-1-5-21-3619768212-1024502798-2657341593-1106
canonicalName:ajax.org/Users/Unix Developers
members:ajax.org/Users/Ashish Menendez,ajax.org/Users/Ben
Waters,ajax.org/Users/Monte Fisher,ajax.org/Users/Jae
Kim,ajax.org/Users/Jay W. Reynolds,ajax.org/Users/Pierre
Leroy,ajax.org/Users/Rae Parker,ajax.org/Users/Zoe Green
unixMembers:ashish,ben,fisher,jae,jay,pierre,rae,zoe
Similarly, if you want to see a complete list of details about the user
jae@ajax.org, you would type:
adquery user --all jae@ajax.org
This command returns the results for the user in the following
format:
unixname:jae
uid:409
gid:400
gecos:Jae Kim
home:/home/jae
shell:/bin/bash
dn:CN=Jae Kim,CN=Users,DC=ajax,DC=org
samAccountName:jae
display:jae
sid:S-1-5-21-3619768212-1024502798-2657341593-1185
userPrincipalName:jae@AJAX.ORG
servicePrincipalName:
canonicalName:ajax.org/Users/Jae Kim
passwordHash:x
accountExpires:Never
passwordExpires:Thu Apr 12 15:21:04 2007
nextPasswordChange:Fri Mar 2 14:21:04 2007
lastPasswordChange:Thu Mar 1 14:21:04 2007
accountLocked:false
accountDisabled:false
zoneEnabled:true
unixGroups:unixdev,testexpe
memberOf:ajax.org/Users/Unix Developers,
ajax.org/Users/Domain Users,ajax.org/Performix/TestExpert
Team
Specifying a single attribute for users and groups

When you specify a single attribute in the command line, the
information is displayed as one value per line without any attribute
label or identifier. For example, if you want to return the canonical
name for the qa-euro group as an unlabeled value, you would type:
adquery group --canonical qa-euro

Using adquery
This command displays the canonical name without any prefix or

label:
ajax.org/Users/QA Europe
Similarly, if you want to return only the UID for the user
rae@ajax.org, you would type:
adquery user --uid rae@ajax.org
10003
To list a single attribute about multiple groups or users, you can

specify the additional groups or users in the command line. For
example, to see a list of the UNIX user names of Active Directory
members for the testexp, performx and unixdev groups, you
would type:
adquery group --members testexp performx unixdev
This command returns the UNIX user names of the members in

each group in the following format:
ben,fisher,jae,jolie,rae
zoe
ashish,ben,fisher,jae,jay,pierre,rae,zoe
If you want the results to include the UNIX user name or group
name, you can add the --prefix option to the command line. For
example, to include the UNIX group name with a membership list
for the testexp, performx and unixdev groups, you would type:
adquery group --members --prefix testexp performx unixdev
This command returns the members in each group in the following

format:
testexp:ben,fisher,jae,jolie,rae
performx:zoe
unixdev:ashish,ben,fisher,jae,jay,pierre,rae,zoe
Specifying multiple attributes for users and groups

When you query multiple attributes for a user or group, the results
display the UNIX user or group name, followed by an attribute
label to identify the attribute values displayed. For example, to
return the samAccountName and unixGroups for the users rae, ben,
ashish, and jae, you would type:
adquery user --samname --groups rae ben ashish jae

This command returns the requested information for each user in
the following format:
rae:samAccountName:rae-old
rae:unixGroups:unixdev,testexpe,perform2
ben:samAccountName:ben
ben:unixGroups:qualtrak,unixdev,testexpe
ashish:samAccountName:ashish
ashish:unixGroups:qualtrak,unixdev
jae:samAccountName:jae
jae:unixGroups:unixdev,testexpe,perform2
Listing information for all users and groups in a zone

If you don’t specify a username or groupname in the command line,
the adquery command returns information for all users or all
groups in the current zone. The format of the output depends on
whether you specify a single attribute or multiple attributes and any
other options you set. For example, to list the UNIX group names
and GIDs for all of the groups in the current zone, you would type:
adquery group --gid --prefix
This command returns the group names and GIDs in the following
format:
unixdev:400
oracle:700
qualtrak:800
performi:401
perform2:402
financeu:403
testexpe:404
integrit:405
Similarly, to return a list of UIDs and display names for all of the
users in the current zone, you would type:
adquery user --uid --display
For example:
rae-old:uid:10003
rae-old:displayName:Rae S. Parker
jay:uid:501
jay:displayName:Jay W. Reynolds
zoe:uid:502
zoe:displayName:Zoe Green
ben:uid:503
ben:displayName:Ben Waters
ashish:uid:504

Using adinfo
ashish:displayName:Ashish Menendez
fisher:uid:505
fisher:displayName:Monte Fisher
pierre:uid:506
pierre:displayName:Pierre Leroy
lynn:uid:507
lynn:displayName:Lynn Hogan
tess:uid:508
tess:displayName:Tess Adams
jolie:uid:509
jolie:displayName:Jolie Ames-Anderson
jae:uid:510
jae:displayName:Jae Kim
Using adinfo
The adinfo command displays detailed Active Directory, network,
and diagnostic information for a local UNIX computer. Options
control the type of information and level of detail displayed.
The basic syntax for the adinfo program is:
adinfo [option] [--user username[@domain]]
[--password password]
The option argument can be any of the following:

adinfo [--domain] [--gc] [--zone] [--zonedn] [--site]
[--server] [--name] [--all] [--support [--output filename]]
[--diag [domain]] [-–config] [--mode] [--test] [--verbose]
[--version] [--auth [domain]] [--servername
domain_controller] [--computer]
The --domain, --gc, --zone, --zonedn, --site, --server, and
--name options are intended for use in scripts to return the current
Active Directory domain, global catalog domain controller, zone,
site, domain controller, and computer account name, respectively.
The other options provide more detailed or operation-specific
information.
You can use the --user and --password options in conjunction
with the --all, --support, --diag, or --auth option to specify
the user name and password of an Active Directory account with
permission to read the computer account information in the Active
Directory domain controller you are accessing. If you run adinfo

while logged in as root, you do not need to specify the --user or
--password option because the command uses the Active
Directory account associated with the local host. If you run the
adinfo command with a user account that doesn’t have permission
to read the computer account information in Active Directory,
some information may not be available in the command output.
Note To run the adinfo --support command, you must be logged
in as root. You are not required to log in as root for any of the other
adinfo options.
If you do not specify an option, adinfo returns the basic set of

configuration details for the local computer, which is equivalent to
specifying adinfo --all.


-d, --domain Return the name of the local computer’s Active
Directory domain.
If the computer isn’t currently joined to an Active
Directory domain, then the command exits and
returns an exit status of 2.
-G, --gc Return the name of the local computer’s Active
Directory domain controller used for global catalog
operations.
-z, --zone Return the name of the local computer’s Active
Directory zone or “Auto Zone” if a computer is
joined to Auto Zone and not a member of any
specific zone.

Using adinfo

-Z, --zonedn Return the distinguished name (DN) of the local
computer’s Active Directory zone or the
distinguished name (DN) of the computer’s Active
Directory domain if the computer is joined to Auto
Zone.
The distinguished name is the name that uniquely
identifies an entry in the directory, beginning with
the most specific attribute and continuing with
progressively broader attributes.
-s, --site Return the name of the local computer’s Active
Directory site.
-r, --server Return the fully-qualified name of the local
computer’s Active Directory domain controller.
-n, --name Return the fully-qualified name of the local
computer’s computer account name in Active
Directory.

-a, --all Return the following information:
• Local host name
• Domain the computer is joined to
• Computer account name in Active Directory
• Local preferred site
• Centrify DirectControl zone
• The date and time that the password was last
reset for the computer’s Active Directory
computer account
• Current operational mode indicating whether
the computer is connected to Active Directory or
running in disconnected mode
Note If you use this option but the user account
doesn’t have permission to read the computer
account information in Active Directory, the
command output does not indicate whether shell
access has been enabled or information about the
last password set.

Using adinfo

-t, --support Return all of the information supplied by the
[--output filename] --all option and the following additional
information:
• The current configuration parameters set in
/etc/centrifydc/centrifydc.conf
• The settings from /etc/krb5.conf
• The contents of the log file
/var/log/centrifydc.log
• The key list from /etc/krb5.keytab
This option is typically used to send complete
diagnostic information to a file, which can then be
sent to Centrify Technical Support for analysis.
By default, the output for the command is written
to the file /tmp/adinfo_support.txt. You can
save the output in a different location or using a
different file name by using the optional
--output argument. To send --support output
to stdout, use a hyphen (-) in the command line
in place of the filename.
Note The root account is required if you want to
retrieve the Kerberos key version stored in Active
Directory for comparison with the local Kerberos
key.

-g, --diag [domain] Return the diagnostic information for the host
computer and a specific Active Directory domain. If
you don’t specify the domain, the command
returns information for the computer's current
domain.
Specifying a domain is useful when an attempt to
join the computer to an Active Directory domain
fails. By specifying adinfo --diag and the
domain you tried to join, you can better diagnose
why an attempt to join failed.
This option returns the following information:
• Local host name.
• Local IP address.
• List of the DNS servers for the specified domain.
• Host name or IP address of the DNS server
supplied by the domain controller.
• Whether the domain controller has up-to-date
global catalog data so that it can become the
global catalog, if necessary.
• Functional level of the specified Active Directory
domain.
• Functional level of the domain's Active Directory
forest.
• Functional level of the domain controller.
• Name of the Active Directory forest to which the
specified domain belongs.
• Name of the computer account in Active
Directory for this computer.
• Kerberos key version for this computer.
• List of Kerberos service principal names this
computer has registered with Active Directory.
Note You should use the root user account when
you use this option. If you don’t use the root
account, the command will not be able to bind to
domain controller or locate the computer account.
The root account is also required to compare the
local key version with the key version stored in
Active Directory.

Using adinfo

-c, --config Return the parsed contents of the Centrify
DirectControl configuration file.
-m, --mode Display whether the computer is currently
connected to Active Directory or running in
disconnected mode. If the adclient process is
not currently running at all, this option will return
the agent status as down.
Note You should use the root user account when
you use this option to display the appropriate
status. If you don’t use the root account, the
command will not be able to check the adclient
lock file to confirm whether adclient is running
or not.
-T, --test Test the availability of the ports Centrify
DirectControl requires for authentication through
Active Directory.
-V, --verbose Display detailed information about each operation
as it is performed. You can use this option in
combination with other options.
software.
-u, --user Identify an Active Directory user account with
username[@domain] sufficient rights to read the computer account
information.
You must use the username@domain format to
specify the user account if the username is not a
member of the computer’s current domain. If you
do not specify the --user option, the default is
the Administrator user account.
-p, --password Specify the password for the Active Directory user
userpassword account. If you do not provide the password at the
command line, you are prompted to enter the
password before the command executes.
Note Specifying a password at the command line
represents a security risk because the password can
be retrieved while the command is running or from
command history after the command has
completed its execution.

-A,--auth [domain] Authenticate the user name and password for the
user specified with the --user option against the
specified domain. If you don’t specify a domain, the
user is validated against the currently joined
domain.
This option only validates the user name and
password you enter can be authenticated by Active
Directory. You cannot use this option in
combination with other options to display other
types of information
-S, --servername Connect to a specific domain controller to perform
domain_controller network diagnostics. You can use this option in
combination with any of the other options.
-C, --computer Display the service principal names (SPNs)
associated with the computer account.
Examples of using adinfo

In most cases, you use the adinfo command to provide information
that will help you diagnose and resolve problems Centrify
DirectControl or Active Directory environments.
To display the basic configuration information for the local UNIX
computer, you can type:
adinfo
If the computer has joined a domain, this command displays

information similar to the following:
Joined to domain: ajax.org
Joined as: magnolia.ajax.org
Pre-win2k name: magnolia
Current DC: ginger.ajax.org
Preferred site: Default-First-Site-Name
Zone: ajax.org/Program Data/Centrify/Zones/default
Licensed Features: Enabled
Note Whether licensed features are enabled or disabled is only

relevant for Linux and Mac computers and is not shown for Solaris
and other UNIX systems.

Using adinfo
You can also use adinfo in shell scripts to return specific

information, such as the domain a computer has joined. For
example, the following command returns the host computer’s
current domain and no other information:
adinfo --domain
For example:
ajax.org
The adinfo --diag command can also be useful in diagnosing

Active Directory configuration issues and Kerberos problems. For
example, in addition to other information, the --diag option
returns the Kerberos key version for the UNIX computer. The key
version is stored both locally and in the computer’s Active
Directory account. It is incremented when a service principal’s
password key changes. If the local key differs from the Active
Directory account key version, it indicates that the local key is no
longer in sync with the Active Directory key and this may cause
authentication to fail.
By running adinfo --diag and checking the Key Version: field
you can determine whether the key versions are the same or out of
sync. If the versions are different, the Key Version field shows both
keys and indicates which is local and which comes from Active
Directory. If the computer isn’t joined to a domain, it has no local
key and the following is displayed:
Key Version: local key version unavailable
If the computer is joined to a domain other than the specified

domain, the Active Directory key is shown as:
<unavailable>
If the computer has joined a domain, the adinfo --diag command

displays information similar to the following truncated example:
Host Diagnostics
uname: Linux magnolia 2.4.21-15.EL #1 Thu Apr 22 00:27:41 EDT 2004
i686
OS: Red Hat Enterprise Linux ES
Version: 3 (Taroon Update 2)
Number of CPUs: 1
IP Diagnostics
FQDN host name: magnolia (domain missing?)
Local IP Address: 192.168.147.135
Domain Diagnostics:

Domain: ajax.org
Subnet site: Default-First-Site-Name
DNS query for: _ldap._tcp.ajax.org
Found SRV records:
ginger.ajax.org:389
Testing Active Directory connectivity:
Domain Controller: ginger.ajax.org
ldap: 389/udp - good
ldap: 389/tcp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
Domain Controller: ginger.ajax.org:389
Domain controller type: Windows 2003
Domain Name: AJAX.ORG
isGlobalCatalogReady: TRUE
domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Forest Name: AJAX.ORG
DNS query for: _gc._tcp.AJAX.ORG
Global Catalog: ginger.ajax.org
gc: 3268/tcp - good
Domain Controller: ginger.ajax.org:3268
Domain controller type: Windows 2003
Domain Name: AJAX.ORG
isGlobalCatalogReady: TRUE
domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Forest Name: AJAX.ORG
Retrieving zone data from ajax.org

Centrify DirectControl 2.x zones:
ConsumerDiv - ajax.org/Program Data/Centrify/Zones/ConsumerDiv
Manufacturing - ajax.org/Program Data/Centrify/Zones/Manufacturing
London - ajax.org/Program Data/Centrify/Zones/London
Centrify Microsoft SFU zones:
default - ajax.org/Program Data/Centrify/Zones/default
Computer Account Diagnostics

Joined as: magnolia
Key Version: 5
Service Principal Names: nfs/magnolia.ajax.org
nfs/magnolia
host/magnolia.ajax.org
host/magnolia
ftp/magnolia.ajax.org
ftp/magnolia
cifs/magnolia.ajax.org
cifs/magnolia
HTTP/magnolia.ajax.org
HTTP/magnolia
Centrify DirectControl Status

Running in connected mode
To test whether a specific user can be authenticated by a specific

Active Directory domain controller, you could type a command
adinfo --auth --user rae --servername ginger.ajax.org

Using adinfo
You are then prompted for the Active Directory password for the
user rae account. If Active Directory can authenticate the user, a
confirmation message similar to the following is displayed:
Password for user “rae” is correct
To test connectivity and the availability of required ports on the

Active Directory domain controller, you could type a command
adinfo --test
If the computer is joined to a domain and the connection to Active

Directory succeeds, the command displays information similar to
the following:
Domain Diagnostics:
Domain: ajax.org
DNS query for: _ldap._tcp.ajax.org
DNS query for: _gc._tcp.ajax.org
Global Catalog: ginger.ajax.org
gc: 3268/tcp - good
Domain Controller: ginger.ajax.org
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Understanding adinfo-specific result codes

“Understanding common result codes” on page 77, the adinfo
result codes.

156 ERR_MACHINE_PASSWORD_CHANGED The computer account password has
been changed. If you encounter this
error, you may need to manually reset
the computer account password in
Active Directory, then rerun the
adinfo command.

157 ERR_KRB_READ_FORMAT A Kerberos format error occurred
when reading the Kerberos
configuration file. You should rename
or remove the configuration file, then
rerun the adinfo command.
158 ERR_NOT_FQDN_NAME The server name must be a
fully-qualified domain name.
Using addebug
The addebug command is used to start or stop detailed logging
activity for Centrify DirectControl on a local UNIX computer.
The basic syntax for the addebug program is:
addebug [on | off| clear]
If you run the addebug on command, all of the Centrify

DirectControl activity is written to the /var/log/centrifydc.log
file. If the adclient process stops running while you have logging
on, the addebug program records messages from PAM and NSS
requests in the /var/log/centrify_client.log file. Therefore,
you should also check that file location if you enable logging.
If you do not specify an option, addebug displays its current status,
indicating whether logging is active or disabled.


on Start logging all Centrify DirectControl daemon
activity.
off Stop logging Centrify DirectControl daemon
activity.
clear Clear the existing log file, then continue logging
activity to the cleared log file.

Using addebug
Examples of using addebug

You use the addebug command to start and stop detailed Centrify
DirectControl-specific logging to help you trace and resolve
problems.
To display the current status of logging, type:
/usr/share/centrifydc/bin/addebug
Note You must type the full path to the command because addebug
is not included in the path by default.
This command displays information similar to the following:

Centrify DirectControl debug logging is off
To turn on logging, type:

/usr/share/centrifydc/bin/addebug on
This command records information in the

/var/log/centrifydc.log file similar to the following:
...
Dec 14 00:31:59 jon adjoin[11198]: com.centrify.join: Joining domain
garfield.com
Dec 14 00:31:59 jon adjoin[11198]: com.centrify.base: Getting the KDC
List for garfield.com
Dec 14 00:31:59 jon adjoin[11198]: com.centrify.base: Updating config
file with domain garfield.com
Dec 14 00:31:59 jon adjoin[11198]: com.centrify.join: Created user
LDAP connection
Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding:
Destroying binding to 'garfield.com'
Attempting connection to server
Connecting to odie.garfield.com:389
Connected
...
For performance and security reasons, you should only enable

Centrify DirectControl logging when necessary, for example,
when requested to do so by Centrify Technical Support, and for
short periods of time.
To discontinue logging, type:
addebug off

Using adfinddomain
The adfinddomain command displays the domain controller
associated with the Active Directory domain you specify.
The basic syntax for the adfinddomain program is:
adfinddomain [--format name|ldap|ip] [--port] [--verify]
[--version] [domain | $]
If you don’t specify a domain, the command returns information

for the domain the local computer is joined to. If you specify a
dollar sign ($) instead of a domain, the command returns the host
name and, optionally the port number, for the Global Catalog
server.


-f, --format Control the format of the information displayed for
name|ldap|ip the domain controller. For example, if you set the
format to name, the command displays the host
name of the domain controller. Similarly, you can
specify the format to be the format used for LDAP
requests or to be the fully-qualified host name of
the domain controller.
adfinddomain -f ldap
ldap:://fire.arcade.org
-p, --port Include the port number in the output.

-V, --verify Check whether the specified domain controller is
currently operational.
software.
[domain | $] Specify the domain name or the global catalog for
which you want to display information.

Using adfinddomain
Examples of using adfinddomain

You can use the adfinddomain command to display the host name,
LDAP URL, or IP address of the domain controller for a specified
domain. For example, to display the full host name for the domain
controller in the arcade.org domain, you would type:
adfinddomain --format name ajax.org
ginger.ajax.org
To display the host name for the global catalog server, type:
adfinddomain $
zen.ajax.org
To include the port number for the domain controller or global

catalog, type:
adfinddomain --format name --port ajax.org
ginger.ajax.org:389
or:
adfinddomain $ --port
zen.ajax.org:3268
Understanding adfinddomain-specific result codes

“Understanding common result codes” on page 77, the
adfinddomain command can generate command-specific result
codes when errors are encountered. The following table lists these
command-specific result codes.

156 ERR_NOT_OBTAIN_IP The command is unable to obtain the IP
address for the server.
157 ERR_UNDETECT_SERVICE The command is unable to find the domain
controller for the domain specified. You
should verify the domain name, then try
rerunning the adfinddomain command.

Using adflush
The adflush command can be used to clear the Centrify
DirectControl cache on a local computer.
The basic syntax for the adflush program is:
adflush [option]


-a, --auth Remove DirectAuthorize information from the
adclient authorization store cache.
-d, --dns Remove stored DNS information from the

adclient local cache.
-f, --force Clear the adclient local cache of all data even if
the Centrify DirectControl Agent is currently
disconnected from Active Directory.
-o, --objects Remove only domain controller and global catalog
objects from the cache.
-V, --verbose Display detailed information about the operation.
software.
Examples of using adflush

The adflush command enables you to completely clear the
Centrify DirectControl cache at any time. This command can be
useful when you want to force the Centrify DirectControl Agent to
read new information from Active Directory, or when you want to
remove obsolete data from the cache. You can also use this
command as part of routine housekeeping to free up disc space.
To clear the cache of information from the Active Directory
domain controller and global catalog, you would type:
adflush

Using adid
To display verbose output and force the local cache to be cleared

when the Centrify DirectControl Agent (adclient) is running in
disconnected mode without access to Active Directory, you would
type:
adflush --verbose --force
Using adid
The adid command can be used to display the real and effective
UIDs and GIDs for the current user or a specified user.
The basic syntax for the adid program is:
adid [option] [username|uid]
The adid command is intended as a replacement for the standard

id program to look up user and group information for a specified
user. For Active Directory users, the adid command is more
efficient than the standard id program because it can request the
user’s group membership list directly through the Centrify
DirectControl Agent, resulting in better performance. For the
standard id program, requesting a user’s group membership
requires the program to search through all the groups on the
system to find which groups include the user as a member. If you
run the adid command and specify a user who is not an Active
Directory user, the adid command transfers the request to the
local id program with the same arguments you have specified.

-a Display all of the group IDs for the specified user or

the current user if no user name or user ID is
specified.
Note This option is provided to support
compatibility with other versions of the program.
The information adid displays with this option is
the same as the information displayed without this
option.
-n, --name Display only the effective user name for the
specified user or the current user. You must include
the --user (or -u) option on the command line to
use this option.
-u, --user Display only the effective user ID for the specified
user or the current user if no user name or user ID is
specified.
--help Display usage information for the command.
Examples of using adid

You can use the adid command to display user and group
information for the current user or any specified user. For
example, to display the user name, default group, and complete
group membership for the current user, you can type:
adid
uid=505(alan) gid=100(users)
groups=100(users),700(oracle),507(testexpert)
To display the user ID and group ID for a specific user name, you
can type:
adid alan
To display the user ID and group ID for a specific user ID, you can
type:
adid 505

Using adclient
To display only the user ID for a specific user name, you can type:
adid --user sloane
506
Using adclient
Most Centrify DirectControl operations are managed by the
central daemon process adclient. This daemon is automatically
started when the system is first booted. The daemon generally
remains running as long as the computer is powered up so that it
can handle all of the authentication and authorization interaction
between Active Directory and the UNIX shell programs or Web
applications that need this information.
Notes Although you can run adclient directly from the command
line to control the operation of the Centrify DirectControl Agent on
a local computer, it is recommended that you do so only under the
direction of Centrify support. Typically, you should start and stop
adclient from a startup script; see “Using the startup script” on
page 139.
On AIX computers, you cannot start adclient directly from the
command line. On AIX, you should use the centrifydc startup
script or the system resource controller commands, such as
startsrc, stopsrc, and lssrc. For example, to start adclient
with the -d and -F options on AIX, you can use a command such as:
startsrc -s centrifydc -a “-d -F”
The basic syntax for running adclient at the command line is:
adclient [-x] [-d] [-F]

You can use the following options with adclient:

-x Stop the Centrify DirectControl Agent if it is
currently running.
-d Set the Centrify DirectControl Agent to run in
debug mode when it is restarted.
-F Flush the Active Directory cache when the Centrify
DirectControl Agent is restarted.
-M Enable in-memory logging of Centrify
DirectControl Agent operations.
For example, to flush the cache when the Centrify DirectControl

Agent starts:
adclient -F
Using the startup script

Although adclient normally runs as long as a computer is powered
up, periodically you may want to manually stop or restart adclient
without rebooting the computer. You do this by running a startup
script called centrifydc and specifying whether you want to start,
stop, or restart the daemon. The location of the startup scripts that
run when a computer is started can vary depending on the
platform. For example, on Linux and Solaris the startup script is in
the directory /etc/init.d, but on HP-UX, startup scripts are
located in the /sbin/init.d directory. For convenience, a copy of
the Centrify DirectControl startup script is installed in the
/usr/share/centrifydc/bin directory, and you can use the copy
in that directory when you want to manually start, stop, or restart
the Centrify DirectControl daemon.
For more information about how daemons are started and stopped
in a specific operating environment, including the normal location
for startup scripts, see the documentation for the operating
environment.

Using adcache
Starting the daemon

To manually start the daemon when the startup script is located in
the /usr/share/centrifydc/bin directory, you run this
command:
/usr/share/centrifydc/bin/centrifydc start
Stopping the daemon

To manually stop the daemon when the startup script is located in
the /usr/share/centrifydc/bin directory, you run this
command:
/usr/share/centrifydc/bin/centrifydc stop
Restarting the daemon

To manually stop then restart the daemon when the startup script is
located in the /usr/share/centrifydc/bin directory, you run this
command:
/usr/share/centrifydc/bin/centrifydc restart
Checking the status of the daemon

You can also check whether the daemon is currently running or
stopped. To view the current status of the daemon when the
startup script is located in the /usr/share/centrifydc/bin
directory, you run this command:
/usr/share/centrifydc/bin/centrifydc status
Using adcache
The adcache command enables you to manually clear the local
Centrify DirectControl cache on a computer. You can use this
command to dump all cache files or a specific cache file. You can
also use the command to check a cache file for a specific key value
and to reclaim disk space. By default, the program dumps all cache
files.
Before running adcache, you should stop the adclient process
using the following command:
/usr/share/centrifydc/bin/centrifydc stop

The basic syntax for running the adcache program is:
adcache [options]

You can use the following options with adcache:

-c, --cachename path Specify the full path to the cache file you want to
check or clear.
-q, --quiet Run the command without displaying any output.
This option is useful for running the command as a
scheduled maintenance job.
-k, --key value Check the Centrify DirectControl cache for a specific
key value.
-r, --reorg Reorganize the Centrify DirectControl cache and
index files and recover disk space used by negative
items.
To use this option, you must be run the adcache
command as root. If you use this option,
adcache stops and restarts the adclient
process.
Examples of using adcache

To check domain controller cache for a specific key value, you
would type a command similar to this:
adcache --cachename /var/centrifydc/dc.cache --key andre
----------------------------------------------------------
Dumping /var/centrifydc/dc.cache
----------------------------------------------------------
ADObject: <GUID=83db76a5dfca5243a788d98128d2e101>
Acquired: Fri Sep 21 16:10:07 2007
Deserialized data:
_ExpiryTime(s):-1,
_Foreign(s):False,
_GECOS(s):Andre Garcia,
_Gid(s):500,
_HomeDirectory(s):/home/andre,
_LoginShell(s):/bin/bash,
_ObjectExtended(s):a30d50f5ef182e42b7687fa1ae07b776,
_ParentLink(s):S-1-5-21-3619768212-1024502798-2657341593-1

Using adcache
153,
_PwSync(s):altSecurityIdentities,
_SID(s):S-1-5-21-3619768212-1024502798-2657341593-1153,
_ShellEnabled(s):True,
_Uid(s):504,
_UnixName(s):andre,
_dn(s):CN=Andre Garcia,CN=Users,DC=ajax,DC=org,
_extendedObjUSN(s):127065,
_groupGuidList(s):<GUID=1271604159a73a49b251b156fae5d6fb>,
<GUID=2d7305a27dfc884eb95ed5d4404a9016>,<GUID=d663e7d2088e
6c4d8d89c0919f4a2b6e>,
_hashTimestamp(s):1190416207,
_maxPwdAge(s):-1,
_minPwdAge(s):128323800679025000,
_objectCategory(s):Person,
_pacGroups(s):0105000000000005150000009447c1d70eac103d99d0
639e94040000,0105000000000005150000009447c1d70eac103d99d06
39e00020000,0105000000000005150000009447c1d70eac103d99d063
9e01020000,
_passwordHash(s):b450a7940716ea44d980322df1773b10,
_passwordSalt(s):$1$wJkhxUEB$,
_server(s):ginger.ajax.org,
_userPrincipalName(s):andre@AJAX.ORG,
accountExpires(s):9223372036854775807,
cn(s):Andre Garcia,
displayName(s):Andre Garcia,
msDS-KeyVersionNumber(s):3,
name(s):Andre Garcia,
objectCategory(s):CN=Person,CN=Schema,CN=Configuration,DC=
ajax,DC=org,
objectClass(s):top,person,organizationalPerson,user,
primaryGroupID(s):513,
pwdLastSet(s):-1,
sAMAccountName(s):andre,
uSNChanged(s):1,
userAccountControl(s):512,
userPrincipalName(s):andre@ajax.org,
----------------------------------------------------------
To reorganize the Centrify DirectControl cache and index files and

recover disk space used by negative items, you would run the
following command:
adcache --reorg
You should run the adcache --reorg command on a regular basis

in a cron job to remove negative results and to prevent the cache
from consuming too much disk space. Depending on how quickly

the size of the Centrify DirectControl cache tends to increase in
your environment, you may want to schedule this command to run
approximately once a week.
Understanding adcache-specific result codes

“Understanding common result codes” on page 77, the adcache
result codes.

156 ERR_ADCLIENT_NOT_SHUTDOWN The Centrify DirectControl Agent is
currently running. You should stop the
adclient process, then attempt to rerun
the command.
157 ERR_CACHE_CORRUPT The cache may be corrupt.
Using adreload
The adreload command enables you to force the Centrify
DirectControl Agent (adclient) to reload configuration properties
in the /etc/centrifydc.conf file and in other files in the
/etc/centrifydc directory. Running this command enables
changes made to the configuration properties to take effect without
restarting the adclient process. Running adreload, however, does
not reload the properties set with the following configuration
parameters:
adclient.ldap.timeout
adclient.ldap.socket.timeout
adclient.udp.timeout
adclient.clients.threads
adclient.clients.threads.max
adclient.use.all.cpus
adclient.clients.listen.backlog
adclient.dumpcore

Using adreload
For the configuration parameters listed above, you must restart the
adclient process for changes to take effect.
The basic syntax for running the adreload program is:

adreload
This command returns the following exit codes:
This exit code Indicates

0 Command executed successfully
2 Process not authorized
3 Reload failed

You can use the following option with adreload:

-h, --help Display the usage message.
Examples of using adreload

To reload the configuration properties on a local computer after
making changes to the /etc/centrifydc/centrifydc.conf file,
you would type a command similar to this:
adreload
Understanding adreload-specific result codes

“Understanding common result codes” on page 77, the adreload
command can generate the following operation-specific result
code:.

156 ERR_RELOAD_CENTRIFYCONF The attempt to reload the centrifydc.conf file
failed.

Appendix B
Customizing Auto Zone configuration

parameters
This appendix describes the Centrify DirectControl configuration
parameters that affect the operation of a local host computer joined
to Auto Zone. These parameters have no effect if the machine is not
joined to Auto Zone.
auto.schema.primary.gid
auto.schema.private.group
auto.schema.shell
auto.schema.homedir
auto.schema.use.adhomedir
auto.schema.remote.file.service
auto.schema.name.format
auto.schema.separator
auto.schema.domain.prefix
auto.schema.search.return.max
auto.schema.name.lower
auto.schema.iterate.cache
adclient.ntlm.separators
Appendix B • Customizing Auto Zone configuration parameters 145

This configuration parameter specifies the primary GID for the
user. The auto.schema.private.group parameter must be set to
false (the default) to use this parameter.
Specify the GID for an existing group. To find the GID for a group,
you can use the adquery command. For example, to find the GID
for the group Support, open a terminal session and type:
>adquery group --gid Support
1003
If you do not set this parameter, the value defaults to the following:
On Mac OS X: 20.
On Linux: 65534
auto.schema.private.group
This configuration parameter specifies whether to use dynamic
private groups.
Specify true to create dynamic private groups. In this case, the
primary GID is set to the user's UID and a group is automatically
created with a single member.
Specify false (the default) to not create private groups. In this
case, the primary GID is set to the value of
auto.schema.primary.gid, which defaults to 20.
auto.schema.shell
This configuration parameter specifies the default shell for the
logged in user. The default value is /bin/bash on Mac OS X and
Linux systems and /bin/sh on all other systems.

auto.schema.homedir
This configuration parameter specifies the home directory for
logged in users. The default, if you do not specify this parameter,
is:
Mac OS X: /Users/%{user}.
UNIX: /home/%[user]
The syntax %{user} specifies the logon name of the user. For
example, in the Centrify DirectControl configuration file, if you
add:
auto.schema.homedir:/Users/%{user}
and jsmith logs on to a Mac OS X machine, the home directory is

set to /Users/jsmith.
If the parameter, auto.schema.use.adhomedir, is true, the home
directory is set to the value in Active Directory for the user, if one
is defined. If auto.schema.use.adhomedir, is false or if a home
directory is not specified for the user in Active Directory, the home
directory is set to the value defined for this parameter,
auto.schema.homedir.
auto.schema.use.adhomedir
Note This configuration parameter applies to Mac OS X computers
only.
This configuration parameter specifies whether to use the Active

Directory value for the home directory, if one is defined. Set to
true to use the Active Directory value (the default), or false to
not use the Active Directory value. If you set the value to false, or
if you set the value to true but a home directory is not specified in
Active Directory, the value for auto.schema.homedir is used.

Note This configuration parameter applies to Mac OS X computers
only.
This configuration parameter specifies the type of remote file

service to use for the network home directory. The options are:
SMB (default) and AFP.
When you type a path for the network home directory in Active
Directory, it requires a specific format: /server/share/path, but
on Mac OS X, the format for mounting a network directory
requires the remote file service type: /type/server/share/path.
By identifying the remote file-service type, you can type the
network path in the format required by Active Directory, and
Centrify DirectControl translates the path into the format required
by Mac OS X.
For example:
auto.schema.remote.file.service:SMB
auto.schema.name.format
This configuration parameter specifies how the Active Directory
username is transformed into a UNIX name (short name in
Mac OS X). The options are
SAM (default)
An example SAM name is joe
SAM@domainName
An example SAM@domainName is joe@acme.com
NTLM
An example NTLM name is acme.com-joe

auto.schema.separator
Note This configuration parameter has been deprecated in favor of
adclient.ntlm.separators, which applies whenever NTLM
format is used. The auto.schema.separator parameter only
applies when the computer is connected to Auto Zone.
This configuration parameter specifies the separator to be used

between the domain name and the user name if NTLM format is
used. The default is +; for example:
auto.schema.separator:+
which results in a name such as:

acme.com+jcool
auto.schema.domain.prefix
This configuration parameter specifies a unique prefix for a trusted
domain. You must specify a whole number in the range of 0 - 511.
Centrify DirectControl combines the prefix with the lower 22 bits
of each user or group RID (relative identifier) to create unique
UNIX user (UID) and group (GID) IDs for each user and group in
the forest and in any two-way trusted forests.
Ordinarily, you do not need to set this parameter because Centrify
DirectControl automatically generates the domain prefix from the
user or group Security Identifier (SID). However, in a forest with a
large number of domains, domain prefix conflicts are possible.
When you join a machine to a domain, if Centrify DirectControl
detects any conflicting domain prefixes, the join fails with a
warning message. You can then set a unique prefix for the
conflicting domains.
To set this parameter, append the domain name and specify a prefix
in the range 0 - 511. For example:
auto.schema.domain.prefix.acme.com:3
auto.schema.domain.prefix.finance.com:4
auto.schema.domain.prefix.corp.com:5

The default behavior, if you do not set this parameter, is for

Centrify DirectControl to automatically generate the domain
prefix from the user or group Security Identifier (SID).
This configuration parameter specifies the number of users that will
be returned for searches by utilities such as dscl and the
Workgroup Manager application. Because Auto Zone enables
access to all users in a domain, a search could potentially return
tens of thousands of users. This parameter causes the search to
truncate after the specified number of users.
The default is 1000 entries.
auto.schema.name.lower
This configuration parameter converts all usernames and home
directory names to lower case in Active Directory.
Set to true to convert usernames and home directory names to
lowercase.
Set to false to leave usernames and home directories in their
original case, upper, lower, or mixed.
The default for a new installation is true. The default for an
upgrade installation is false.
auto.schema.iterate.cache
This parameter, specifies that user and group iteration take place
only over cached users and groups.
Set the value for auto.schema.iterate.cache to true to restrict
iteration to cached users and groups.

Set the value for auto.schema.iterate.cache to false to iterate
over all users and groups. The default value is false.
This configuration parameter specifies the separators that may be
used between the domain name and the user name when NTLM
format is used. For example, the following setting:
adclient.ntlm.separators: +/\\
allows any of the following formats (assuming a user joe in the

acme.com domain):
acme.com+joe
acme.com/joe
acme.com\joe
Note The backslash character (\) can be problematic on some UNIX

shells, in which case you may need to specify domain\\user.
The first character in the list is the one that adclient uses when
generating NTLM names.
The default values are +/\\, with + being the adclient default.


Appendix C
Customizing PAM-related configuration

parameters
This appendix describes the DirectControl configuration
parameters that affect the operation of PAM-related activity on the
local host computer.
pam.allow.groups
pam.allow.override
pam.allow.password.change
pam.allow.password.change.mesg
pam.allow.password.expired.access
pam.allow.password.expired.access.mesg
pam.allow.users
pam.deny.groups
pam.deny.users
pam.ignore.users
pam.mapuser.username
pam.password.change.mesg
pam.password.change.required.mesg
pam.password.confirm.mesg
pam.password.empty.mesg
pam.password.enter.mesg
pam.password.expiry.warn.mesg
pam.password.new.mesg
pam.password.new.mismatch.mesg
Appendix C • Customizing PAM-related configuration parameters 153

pam.allow.groups
pam.password.old.mesg
Note On AIX, the PAM configuration parameters described in this
section may apply to interfaces in the AIX Loadable Authentication
Module (LAM) or PAM, depending on the configuration of the local
operating environment. If you have configured AIX to use PAM, the
configuration parameters apply to PAM settings. If AIX is
configured to use LAM, parameters in this section configure LAM
settings where applicable.
pam.allow.groups
This configuration parameter specifies the groups allowed to access
PAM-enabled applications. When this parameter is defined, only
the listed groups are allowed access. All other groups are denied
access.
If you want to use this parameter to control which users can log in
based on group membership, the groups you specify should be valid
Active Directory groups, but the groups you specify do not have to
be enabled for UNIX. Local group membership and invalid Active
Directory group names are ignored.
If you use this parameter to control access by group name, Centrify
DirectControl checks the Active Directory group membership for
every user who attempts to use PAM-enabled applications on the
host computer.
When a user attempts to log on or access a PAM-enabled service,
the pam_centrifydc module checks with Active Directory to see
what groups the user belongs to. If the user is a member of any
Active Directory group specified by this parameter, the user is
accepted and authentication proceeds. If the user is not a member
of any group specified by this parameter, authentication fails and
the user is rejected.
The parameter’s value can be one or more group names, separated
by commas, or the file: keyword and a file location. For example,

to allow only members of the administrators, sales, and
engineering groups in Active Directory to log in:
pam.allow.groups: administrators,sales,engineering
NotesYou can use the short format of the group name or the full
canonical name of the group.
To enter group names with spaces, enclose them in double quotes;
for example:
pam.allow.groups: "domain admins",sales,"domain users"
To specify a file that contains a list of the groups allowed access,

type the path to the file:
pam.allow.groups: file:/etc/centrifydc/groups.allow
If a computer is configured to use Auto Zone without a zone, you

should specify groups with samAccountName@domain_name as the
parameter value or in the list of group names.
If no group names are specified, no group filtering is performed.
Note If you make changes to this parameter, you should run
adflush to clear the Centrify DirectControl cache to ensure your
changes take effect.
pam.allow.override
This configuration parameter is used to override authentication
through Active Directory to ensure the root user or another local
account has permission to log on when authentication through
Active Directory is not possible, when there are problems running
the Centrify DirectControl daemon, or when there are network
communication issues.
When you specify a user account for this parameter, authentication
is passed on to a legacy authentication mechanism, such as
/etc/passwd. You can use this parameter to specify an account that
you want to ensure always has access, even if communication with
Active Directory or the Centrify DirectControl daemon fails. For

example, to ensure the local root user always has access to a system
even in an environment where you have enabled root mapping, you
can specify:
pam.allow.override: root
To log in locally with the override account, you must specify the
local user name and password. However, because the account is
mapped to an Active Directory account, you must append
@localhost to the user name. For example, if you have specified
root as the override account and are using root mapping, you
would type root@localhost when prompted for the user name.
You can then type the local password for the root account and log
in without being authenticated through Active Directory.
Note If you are mapping the root user to an Active Directory
account and password, you should set this parameter to root or to
a local user account with root-level permissions (UID 0), so that you
always have at least one local account with permission to access
system files and perform privileged tasks on the computer even if
there are problems with the network connection, Active Directory,
or the Centrify DirectControl daemon.
This configuration parameter specifies whether users who log in
with an expired password should be allowed to change their
password. You can set this parameter to true or false and use it in
conjunction with the pam.allow.password.expired.access
parameter to control access for users who attempt to log on with
an expired password.
If both this parameter and pam.allow.password.expired.access
are set to true, users logging on with an expired password are
allowed to log on and are prompted to change their password.
If the pam.allow.password.expired.access parameter is set to
true, but this parameter is set to false, users logging on with an
expired password are allowed to log on but are not prompted to

change their password and the message defined for the
pam.allow.password.change.mesg parameter is displayed.
If both this parameter and pam.allow.password.expired.access

are set to false, users who attempt to log on with an expired
password are not allowed to log on or change their password and
the message defined for the pam.allow.password.change.mesg
parameter is displayed.
For example, to allow users with expired passwords to change their
password:
pam.allow.password.change: true
pam.allow.password.change.mesg
This configuration parameter specifies the message displayed when
users are not permitted to change their expired password because
the pam.allow.password.change parameter is set to false.
For example:
pam.allow.password.change.mesg: Password change not permitted
pam.allow.password.expired.access
This configuration parameter specifies whether users who log in
with an expired password should be allowed access. You can set this
parameter to true or false and use it in conjunction with the
pam.allow.password.change parameter to control access for users
who attempt to log on with an expired password.
If this parameter is set to true, users logging on with an expired
password are allowed to log on, and either prompted to change
their password if the pam.allow.password.change parameter is set
to true, or notified that they are not allowed to change their
expired password if the pam.allow.password.change parameter is
set to false.
If this parameter is set to false, users logging on with an expired
password are not allowed to log on and the message defined for the

pam.allow.password.expired.access.mesg parameter is
displayed.
For example, to allow users with expired passwords to log on:
pam.allow.password.expired.access: true
This configuration parameter specifies the message displayed when
users are not permitted to log on with an expired password because
the pam.allow.password.expired.access parameter is set to
false.
For example:
pam.allow.password.expired.access.mesg: Password expired - access
denied
pam.allow.users
This configuration parameter specifies the users who are allowed to
access PAM-enabled applications. When this parameter is defined,
only the listed users are allowed access. All other users are denied
access.
If you want to use this parameter to control which users can log in,
the users you specify should be valid Active Directory users that
have a valid UNIX profile for the local computer’s zone. If you
specify local user accounts or invalid Active Directory user names,
these entries are ignored.
If you specify one or more users with this parameter, user filtering
is performed for all PAM-enabled applications on the host
computer.
the pam_centrifydc module checks the users specified by this
parameter to see if the user is listed there. If the user is included in

the list, the user is accepted and authentication proceeds. If the user
is not listed, the user is rejected.
The parameter value can be one or more user names, separated by
commas, or the file: keyword and a file location. For example:
pam.allow.users: root,joan7,bbenton
pam.allow.groups: administrators,sales,engineering
NotesYou can use the short format of the user name or the full
canonical name of the user.
To enter user names with spaces, enclose them in double quotes; for
example:
pam.allow.users: "sp1 user@acme.com",joan@acme.com,"sp2
user@acme.com"
To specify a file that contains a list of the users allowed access, type
the path to the file:
pam.allow.users: file:/etc/centrifydc/users.allow

should specify users with samAccountName@domain_name as the
parameter value or in the list of user names.
If no user names are specified, then no user filtering is performed.
pam.deny.groups
This configuration parameter specifies the groups that should be
denied access to PAM-enabled applications. When this parameter is
defined, only the listed groups are denied access. All other groups
are allowed access.
If you want to use this parameter to control which users can log in
based on group membership, the groups you specify should be valid
Active Directory groups, but the groups you specify do not need to

pam.deny.groups
be enabled for UNIX. Local group membership and invalid Active

Directory group names are ignored.
the pam_centrifydc module checks with Active Directory to see
which groups the user belongs to. If the user is a member of any
Active Directory group specified by this parameter, the user is
denied access and authentication fails. If the user is not a member of
any group specified by this parameter, authentication succeeds and
the user is logged on.
The parameter’s value can be one or more group names, separated
by commas or spaces, or the file: keyword and a file location. For
example, to prevent all members of the vendors and azul groups
in Active Directory from logging on:
pam.deny.groups: vendors,azul
NotesYou can use the short format of the group name or the full
canonical name of the group.
To enter group names with spaces, enclose them in double quotes;
for example:
pam.deny.groups: "domain admins",sales,"domain users"
To specify a file that contains a list of the groups that should be

denied access:
pam.deny.groups: file:/etc/centrifydc/groups.deny

should specify groups with samAccountName@domain_name as the
parameter value or in the list of group names.
If this parameter is not defined in the configuration file, no group
filtering is performed.

pam.deny.users
This configuration parameter specifies the users that should be
denied access to PAM-enabled applications. When this parameter is
defined, only the listed users are denied access. All other users are
allowed access.
If you want to use this parameter to control which users can log in,
the users you specify should be valid Active Directory users that
have been enabled for UNIX. If you specify local user accounts or
invalid Active Directory user names, these entries are ignored.
the pam_centrifydc module checks the users specified by this
parameter to see if the user is listed there. If the user is included in
the list, the user is rejected and authentication fails. If the user is
not listed, the user is accepted and authentication proceeds.
The parameter value can be one or more user names, separated by
commas or spaces, or the file: keyword and a file location. For
example, to prevent the user accounts starr and guestuser from
logging on:
pam.deny.users: starr,guestuser
NotesYou can use the short format of the user name or the full
canonical name of the user.
To enter user names with spaces, enclose them in double quotes; for
example:
pam.deny.users: "sp1 user@acme.com",joan@acme.com,"sp2
user@acme.com"
To specify a file that contains a list of the users that should be

denied access:
pam.deny.users: file:/etc/centrifydc/users.deny

should specify users with samAccountName@domain_name as the
parameter value or in the list of user names.

pam.ignore.users
If this parameter is not defined in the configuration file, no user

filtering is performed.
pam.ignore.users
This configuration parameter specifies one or more users that
Centrify DirectControl will ignore for lookup in Active Directory.
Because this parameter allows you to intentionally skip looking up
an account in Active Directory, it allows faster lookup for system
accounts such as tty, root, and bin and local login accounts.
Note This configuration parameter ignores listed users for
authentication and NSS lookups.
If you are manually setting this parameter, the parameter value

should be one or more user names, separated by a space, or the
file: keyword and a file location. For example, to specify a list of
users to authenticate locally:
pam.ignore.users: root sys tty
To specify a file that contains a list of the users to ignore:

pam.ignore.users: file:/etc/centrifydc/users.ignore
If this parameter is not defined in the configuration file, no users

are specified.
Skipping Active Directory authentication for local AIX users

By default, Centrify DirectControl modifies the AIX Loadable
Authentication Module (LAM) for the SYSTEM user attribute to
look like this:
SYSTEM=CENTRIFYDC OR CENTRIFYDC[NOTFOUND] AND compat
This setting specifies that the first attempt to authenticate a user

should be passed to Active Directory through DirectControl. In
some cases, however, you may have local user accounts that you

only want to authenticate locally. Although there are parameters in
the Centrify DirectControl configuration file that enable you to
ignore Active Directory authentication for specific local users,
these parameters are not completely applicable on computers
running AIX. To exclude any local user account from Active
Directory authentication on AIX, you can run the following
command for the user:
chuser SYSTEM=compat username
Alternatively, you can edit the /etc/security/user file and change

the stanza for a particular user’s SYSTEM attribute to:
SYSTEM=compat
If you later decide you want to migrate the local user account to use
Active Directory, you can run the following command for the user
to reset the default authentication:
chuser SYSTEM= username
Note To reset the user account to be authenticated through Active

Directory, there must be a space after the equal sign (=) in the
command line.
pam.mapuser.username
This configuration parameter maps a local UNIX user account to an
Active Directory account. Local user mapping allows you to set
password policies in Active Directory even when a local UNIX
account is used to log in. This parameter is most commonly used to
map local system or application service accounts to an Active
Directory account and password, but it can be used for any local
user account. For more information about mapping local accounts
to Active Directory users, see “Mapping local UNIX accounts to
Active Directory” on page 57.
If you are manually setting this parameter, you should note that the
local account name you want to map to Active Directory is
specified as the last portion of the configuration parameter name.
The parameter value is the Active Directory account name for the
specified local user. For example, the following parameter maps the

local UNIX account oracle to the Active Directory account

oracle_storm@acme.com if the host computer’s name is storm:
pam.mapuser.oracle: oracle_$HOSTNAME@acme.com
You can specify the user name in the configuration file with any of
the following valid formats:
Standard Windows format: domain\user_name
Universal Principal Name (UPN): user_name@domain
Alternate UPN: alt_user_name@alt_domain
UNIX user name: user
You must include the domain name in the format if the user
account is not in the local computer’s current Active Directory
domain.
If this parameter is not defined in the configuration file, no local
UNIX user accounts are mapped to Active Directory accounts.
This configuration parameter specifies the text displayed by a
PAM-enabled application when it requests a user to change a
password.
The parameter value must be an ASCII string. UNIX special
characters and environment variables are allowed. For example:
pam.password.change.mesg: Changing Active Directory password for\
If this parameter is not present, its default value is “Change

password for”.
pam.password.change.required.mesg
This configuration parameter specifies the message displayed if the
user enters the correct password, but the password must be
changed immediately.
For example:
pam.password.change.required.mesg: \

You are required to change your password immediately
pam.password.confirm.mesg
PAM-enabled application when it requests a user to confirm his
new password by entering it again.
pam.password.confirm.mesg: Confirm new Active Directory password:\
If this parameter is not present, its default value is “Confirm new

password:”.
pam.password.empty.mesg
This configuration parameter specifies the message displayed if the
user to enter an empty password.
For example:
pam.password.empty.mesg: Empty password not allowed
pam.password.enter.mesg
PAM-enabled application when it requests a user to enter his
password.
pam.password.enter.mesg: Active Directory password:\
If this parameter is not present, its default value is “Password:”.

This configuration parameter specifies how many days before a
password is due to expire PAM-enabled applications should issue a
warning to the user.
The parameter value must be a positive integer. For example, to
issue a password expiration warning 10 days before a password is
set to expire:
pam.password.expiry.warn: 10
If this parameter is not present, its default value is 14 days.
pam.password.new.mesg
PAM-enabled application when it requests a user to enter his new
password during a password change.
pam.password.new.mesg: Enter new Active Directory password:\
If this parameter is not present, its default value is “Enter new

password:”.
pam.password.new.mismatch.mesg
This configuration parameter specifies the message displayed
during password change when the two new passwords do not
match each other.
For example:
pam.password.new.mismatch.mesg: New passwords don't match

pam.password.old.mesg
This configuration parameter specifies the message displayed by a
PAM-enabled application when it requests a user to enter his old
password during a password change.
pam.password.old.mesg: (current) Active Directory password:\
If this parameter is not present, its default value is “(current)

password:”.
pam.policy.violation.mesg
This configuration parameter specifies the message displayed
during password change if the operation fails because of a domain
password policy violation. For example, if the user attempts to
enter a password that doesn’t contain the minimum number of
characters or doesn’t meet complexity requirements, this message
is displayed.
For example:
pam.policy.violation.mesg: \
The password change operation failed due to a policy restriction set
by the\nActive Directory administrator. This may be due to the new
password length,\nlack of complexity or a minimum age for the current
password.

pam.policy.violation.mesg

Appendix D
Using DirectControl with SSH

After you have installed DirectControl and joined the Active
Directory domain on the UNIX computer, you can install a
Kerberized OpenSSH server on your system. There is an OpenSSH
client and server in the package, allowing a user to connect to a
UNIX computer running Centrify DirectControl or connect
between UNIX computers running DirectControl without
entering a username or password.
This appendix shows you how to install the Centrify release of
OpenSSH and demonstrates its use.
About SSH and DirectControl
Setting up SSH
Testing SSH on UNIX
Testing SSH from a Windows machine
Appendix D • Using DirectControl with SSH 169


Although many UNIX systems have an sshd server installed, most
are older implementations that do not support Kerberos. Centrify
provides a compiled version of the latest OpenSSH distribution to
make it easier for you to install and use SSH with DirectControl for
secured authentication to Active Directory using Kerberos. This
compiled version of OpenSSH is automatically installed when you
run the installation script to install Centrify DirectControl
Express.
Centrify has compiled the standard OpenSSH distribution
unmodified, but in the compile process links OpenSSH with the
DirectControl Kerberos libraries to ensure that sign-on works as
expected in an Active Directory environment. This provides
several advantages, including:
DirectControl will accept connections to any of the computer's
valid host names, either fully qualified or not, because all
combinations are registered with Active Directory. This reduces
Kerberos’ dependency on accurate DNS entries.
The installation process makes direct access to the Kerberos
tools possible by automatically adding
/usr/share/centrifydc/bin for all users and
/usr/share/centrifydc/sbin for administrators and super
users to the $PATH environment.
Centrify OpenSSH is installed as part of installing DirectControl.
If you already have OpenSSH installed on your system, you need to
remove the OpenSSH server. To do this on a Red Hat Linux
computer, log on as root and use the following command:
rpm --nodeps -e openssh openssh-server openssh-clients
On Sun Solaris, log on as root and use the following command:

pkgrm SUNWsshdu SUNWsshdr
Confirm with yes when prompted, then use the following

command to stop sshd:
pkill sshd

To install DirectControl and join the AD domain, see Installing the
Centrify DirectControl Agent.
The installation installs OpenSSH into the
/usr/share/centrifydc/ directory structure, where the server
daemon is in the sbin directory, the client applications are in the
bin directory, and the man pages are in the man directory. The
installation process also configures the OpenSSH server to start
automatically on computer startup.
Setting up SSH
All configuration of the SSH server is taken care of for you by the
installation. The only thing left to do is to start the server and test
connectivity to the sshd server process.
The first time the server starts, it tries to find the current set of
host keys in /etc/ssh and import them. If it doesn’t find the keys,
it generates new keys and stores them in /etc/centrifydc/ssh.
To start the server, run the following command (Red Hat Linux
only):
service centrify-sshd start
For Sun Solaris, or as an alternative method on Red Hat Linux,

run the following command:
/etc/init.d/centrify-sshd start
You can test the server by connecting to the local host to make sure
that SSH is running and accepting connections. The following
command should result in a local connection to the SSH server:
/usr/share/centrifydc/bin/ssh root@localhost
Testing SSH on UNIX

To test SSH on your UNIX system, log on to the UNIX system as an
ordinary Active Directory user and execute the following
command, where hostname is the hostname of the SSH server:
/usr/share/centrifydc/bin/ssh hostname
Appendix D • Using DirectControl with SSH 171

This command should result in a silent connection to the SSH

server.

On a Windows computer joined to the same Active Directory
domain, you can now use PuTTY as distributed by Centrify
(available on the Centrify Resource Center) or any other SSH
solution that supports Kerberos. But first you must configure the
following setting in PuTTY:
To configure PuTTY for SSH login:
1 Open PuTTY.
2 In the Category window, expand Connection > SSH.
3 In Kerberos flags, select Attempt Kerberos auth (SSH2).
4 Save the settings.
You can now see the Centrify Resource Center for a list of tested
clients, and connect to the UNIX computer without being
prompted for user ID or password as long as the user has a valid
UNIX profile and permissions to log in to the UNIX computer.

options 137
adinfo
command reference 120
Index displaying help 77
examples 127
introduction 67
A options 121
account mapping when to use 77
configuration setting 163 adjoin
purpose of 57 command reference 80
Active Directory displaying help 77
joining the domain 41 examples 90
specifying a domain 42 options 81
adcache running after installation 41
command reference 140 when to use 76
examples 141 adleave
options 141 command reference 95
ADCheck 31 displaying help 77
adcheck command reference 101 examples 100
adclient options 97
log file 63 when to use 76
starting and stopping 138 adlicense
adclient.ntlm.separators 151 options 102, 104
addebug adlicense command reference 103
command reference 131 adpasswd
examples 132 command reference 104
options 131 displaying help 77
adfinddomain examples 107
command reference 133 options 105
examples 134 when to use 76
options 133 adquery
adfixid command reference 109
examples 135 examples 116
adflush group 114
command reference 135 user 109
options 135 adreload
adid examples 144
command reference 136 options 144
examples 137 adupdate
• Index 173
displaying help 77 command line programs
Auto Zone 20 to 21 basic usage 76
configuration parameters 145 to 151 displaying help 77
auto.schema.domain.prefix 149 location 76
auto.schema.homedir 147 man pages 77
auto.schema.iterate.cache 150 configuration file (centrifydc.conf)
auto.schema.name.format 148 Auto Zone parameters 145 to 151
auto.schema.name.lower 150 PAM parameters 153 to 167
auto.schema.primary.gid 146 conventions, documentation 9
auto.schema.private.group 146
auto.schema.remote.file.service 148 D
auto.schema.search.return.max 150 daemon
auto.schema.separator 149 enabling logging 63
auto.schema.shell 146 introduction 138
auto.schema.use.adhomedir 147 Debian Linux
removing DirectControl 50
C diagnostic information 67, 128
Centrify DirectControl DirectControl
access control summary 15, 59 integration with Samba 60
command line programs 76 disconnected operation
daemon 138 account changes 56
diagnostic information 67 credential storage 56
documentation 11 documentation
joining the domain 41 additional 11
log files 64 audience 8
managed system 15 conventions 9
package location 31 summary of contents 8 to 9
password enforcement 54 domain controllers
removing the software 49 adding DNS server role 71
solution overview 14 to 16 setting manually 72
support for UNIX services 16 testing connectivity 69
technical support 12 Domain Name Server (DNS)
troubleshooting issues 63 manual setting 70
Unix installation 27 nameserver entry 69
UNIX requirements 26 server role 68, 71
Centrify DirectControl Agent services provided 68
architecture 17 testing connectivity 69
key tasks 16 Unix configuration 39
Centrify web site 12 using a forwarder 70

E purpose 63
etc/ssh 171
M
F Mac OS X
file sharing directory on CD 31
ownership 60 removing DirectControl 50
ftp 59 man pages
displaying 77
G source of information 11
global catalog, defining manually 73 managed system 15
groups messages
allowing access 154 confirmation 165
denying access 159 empty password 165
mismatch between password 166
I new password 166
installation old password 167
files and directories 38 password changes 157, 158
prerequisites policy violation 167
Unix platforms 26 prompt for password 165
restarting services 46
Unix components 27 N
NSS configuration
J modification 17
join operation users ignored 162
command reference 80 NTLM
joining a domain 42 to 46 name format 151
L P
LAM configuration PAM configuration
local authentication 162 account mapping 163
Linux agent component 17
joining the domain 41 group filtering 154, 159
naming convention 10 ignore authentication 155
log files messages displayed 164 to 166
adinfo output 67 parameter settings 153 to 167
enabling 64 user filtering 158, 161
location 64, 131 pam.allow.groups 154, 159
performance impact 64 pam.allow.override 155
pam.allow.password.change 156
• Index 175
pam.allow.password.change.mesg 157 join operation 80
pam.allow.password.expired.access 157 local override account 59
pam.allow.password.expired.access.mesg override account 155
158 running native installers 35
pam.allow.users 158, 161
pam.deny.users 161 S
pam.ignore.users 162 Samba 59
pam.mapuser.username 163 integration with DirectControl 60
pam.password.change.mesg 164 SSH 59, 169 to 172
pam.password.change.required.mesg 164 about 170
pam.password.confirm.mesg 165 installing 170
pam.password.empty.mesg 165 setting up 171
pam.password.enter.mesg 165 testing on UNIX 171
pam.password.expiry.warn 166 testing on Windows 172
pam.password.new.mesg 166 SuSE Linux
pam.password.new.mismatch.mesg 166 removing DirectControl 50
pam.password.old.mesg 167
pam.policy.violation.mesg 167 T
pam.user.ignore 162 technical support 12
password management telnet 59
changing your own 54 troubleshooting
disconnected mode 56 daemon operation 63
expired passwords 156 to 158 enabling logging 64
messages displayed 164 to 166 using adinfo 67
policy definition 54
policy enforcement 16
U
resetting for other users 55
UNIX
command line programs 76
Q man pages 77
Quick Start 11 naming convention 10
Unix
R DNS configuration 39
Red Hat Linux files and directories 38
removing DirectControl 50 installing DirectControl 27
root user restarting services 46
adinfo options 67 system requirements 26
adleave operation 96 UNIX users
enabling logging 64 local account mapping 57
installation requirement 28 users

account mapping 57
allowing access 158
denying access 161
disconnected logins 56
ignoring for lookups 162
local authentication 155
mapping local accounts 163
password policies 54
W
Windows
knowledge of 8
Z
zones
understanding the use of 20
• Index 177

Centrify DC Directcontrol Express Admin Guide

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Centrify DC Directcontrol Express Admin Guide

Diunggah oleh

Hak Cipta:

Format Tersedia

Centrify DirectControl Express

Chapter 2 Installing Centrify DirectControl Express 25

Chapter 3 Using DirectControl Express 51

Appendix A Using Centrify DirectControl UNIX commands 75

4 DirectControl Express Edition Administrator’s Guide

Appendix B Customizing Auto Zone configuration parameters 145

Appendix C Customizing PAM-related configuration parameters 153

Appendix D Using DirectControl with SSH 169

6 DirectControl Express Edition Administrator’s Guide

• About this guide 7

Centrify DirectManage to centralize the discovery, management

Using this guide

8 DirectControl Express Edition Administrator’s Guide

Conventions used in this guide

• About this guide 9

to indicate variables. In addition, in command line reference

10 DirectControl Express Edition Administrator’s Guide

• About this guide 11

12 DirectControl Express Edition Administrator’s Guide

Understanding Centrify DirectControl Express

DirectControl Express requires minimal configuration to join a

14 DirectControl Express Edition Administrator’s Guide

What you can do after you deploy

Manage their Active Directory passwords directly from the

Understanding the Centrify DirectControl Agent

16 DirectControl Express Edition Administrator’s Guide

Centrify DirectControl Service Library

Centrify DirectControl Command line

Centrify DirectControl Agent

Cached credentials and

As this figure suggests, the Centrify DirectControl Agent includes

such as join and leave the Active Directory domain or change

Comparing Centrify Suite 2010 Express Edition to

18 DirectControl Express Edition Administrator’s Guide

Enterprise Edition provides:

Understanding Zones and Auto Zone

20 DirectControl Express Edition Administrator’s Guide

Understanding how DirectControl generates

In addition to the UID and GID, DirectControl creates a home

22 DirectControl Express Edition Administrator’s Guide

24 DirectControl Express Edition Administrator’s Guide

Installing Centrify DirectControl Express

Chapter 2 • Installing Centrify DirectControl Express 25

Preparing for installation

For this You need this

Note For the most complete and up-to-date information about

Verifying account permissions

26 DirectControl Express Edition Administrator’s Guide

Installing the Centrify DirectControl Agent

Notes Centrify highly recommends that you use the installation

Chapter 2 • Installing Centrify DirectControl Express 27

Automatically joins the computer to a domain.

Installing the agent by using the installation script

28 DirectControl Express Edition Administrator’s Guide

Similarly, if you are installing on a Mac OS X computer, change

The installation script runs a utility, adcheck, to verify that your

How do you want to proceed? (E|S|X|C|Q) [X]:

Chapter 2 • Installing Centrify DirectControl Express 29

Please enter the Active Directory domain to check:

Join an Active Directory domain? (Q|Y|N) [Y]

Click Enter to select the defaults for the following prompts:

You will see summation text similar to the following: