Centrify/Delinea
This is the Centrify for UNIX/Linux/Mac Command Line Cheat Sheet
Ref: https://centrifying.blogspot.com/2016/02/centrify-for-unix-cli-cheat-sheet.html
AD-bridging commands ("ad" commands)
adcheck - check OS, network and AD readiness for Centrify DirectControl
To check the system with domain (e.g. corp.contoso.com)
$ adcheck corp.contoso.com
To only perform OS checks
$ adcheck --test os
To only perform network-related tests
$ adcheck --test net corp.contoso.com
To only perform AD-related tests
$ adcheck --test ad corp.contoso.com
To check the system with a service domain controller (e.g. dc1)
$ adcheck --servername dc1 corp.contoso.com
To check connectivity only with DCs within the site
$ adcheck --siteonly corp.contoso.com
To check only on 3 (or n) DCs in a large domain
$ adcheck --bigdommain 3 corp.contoso.com
To check trust relationships (e.g. with hq.fabrikam.com)
$ adcheck --xdomain corp.contoso.com
To skip NTP checking (if you are not doing sync with AD DCs)
$ adcheck --skip-ntp corp.contoso.com
adinfo: provides information about the status of the agent
Looking-up Basic Information To check the general status of the client
$ adinfo
To see the current domain controller the client is using
$ adinfo --server
To see the current domain the agent is joined to
$ adinfo --domain
To see the status (mode) of the agent (connected to ad or in offline mode)
$ adinfo --mode
To see the version of the installed client
$ adinfo --version
To see the corresponding Centrify Suite Version
$ adinfo --suite-version
To view Active Directory connectivity to the current domain
$ adinfo --test
To view the current Active Directory site
$ adinfo --site
To see the current joined Centrify zone
$ adinfo --zone $ adinfo --zonedn (in distinguishedName format)
DNS
To check for the "joined-as" name (local host name and joined as name may be different)
$ adinfo --name
To check the status of the DNS cache and stats
$ adinfo --diag dns
Connectivity
To check connectivity with an AD domain
$ adinfo --test [domain.name]
To check network connectivity statistics
$ adinfo --sysinfo neststate
To test connectivity against a specific domain controller
$ adinfo --T --servername [domain.controller.name]
Active Directory
To see the current AD Global Catalog
$ adinfo --gc
To see the domain/forest map
$ adinfo --sysinfo domain
To see the status of the AD computer trust relationship
$ adinfo --sysinfo adagent
Testing a user's password
$ adinfo -A --user [username] # this will prompt you for a password, the output is: Password for user "username" is correct/incorrect
Configuration
To parse the contents of the centrify.conf file
$ adinfo --config
To show the client's in memory configuration parameters
$ adinfo --sysinfo config
Kerberos
To view Kerberos information like supported encryption types, key version and registered SPNs
$ adinfo --computer
To view the updated Kerberos configuration in the local system
$ cat /etc/krb5.conf
To list the principals in the system's krb5.conf file
$ dzdo /usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5.keytab
To determine the encryption types of the system's cached ticket
$ dzdo /usr/share/centrifydc/kerberos/bin/klist -fe /etc/krb5.ccache
PKI
adcert - centrify Microsoft PKI client
To perform auto-enrollment of Computer PKI certificates (requires elegible template and communications) Using the computer object to authenticate
$ dzdo /usr/share/centrifydc/sbin/adcert --enroll --machine
Using a user to authenticate
$ dzo /usr/share/centrifydc/sbin/adcert --enroll --user [ADusername]
Dynamic DNS
addns - a dynamic DNS client for AD DNS or RFC 2136-compliant servers
To renew DNS using machine credentials
$ sudo addns --update --machine
To renew DNS using user credentials
$ sudo addns --update --user [ADusername]
To renew DNS only on a specific interface (e.g. eth0)
$ sudo addns --update --machine --interface eth0
Querying Centrify-enabled AD Users and Groups
adquery: provides information about Active Directory users and groups that are UNIX-enabled by Centrify
To view all Centrify UNIX-enabled users
$ adquery user
will show all AD users in Express mode / Only authorized in Zone mode To view all Centrify UNIX-enabled groups
$ adquery groupwill show all AD groups in Express mode / Only unix-enabled in Zone mode
To view a user's entry (UNIX passwd file style)
$ adquery user [username]
To view a group entry (UNIX group filestyle)
$ adquery group [groupname]
To view only the user or group's AD group memberships
$ adquery user [user] --adgroup
To view all information about a user or group (including AD object attributes)
$ adquery user|group [user or group] -A
To view the distinguishedName a user or group
$ adquery user|group [user or group] --dn
To view all information and include password expiration, account lockout/enabled state
$ sudo adquery user [user] -A
To view information about a computer
$ adquery user [computername]$ -A
To get results from cache (instead of fetching from AD)
$ adquery user|group [options] --cache-first
Centrify Cache Commands
adflush - clears the Centrify cache in the local computer (dc, gc, credential & dns)
To flush the authorization cache
$ dzdo adflush --auth
To rebind and force a new DC selection
$ dzdo adflush --bindings
To flush the DNS cache
$ dzdo adflush --dns
To expire the information from domain controllers and global catalogs
$ dzdo adflush --expire
To force complete removal/expiration even when disconnected (use carefully)
$ dzdo adflush --force
To refresh the krb5.conf file
$ dzdo adflush --trusts
To clear the health history
$ dzdo adflush --health
To clear the cloud connectors (in MFA scenarios)
$ dzdo adflush --connectors
adgpupdate - triggers the group policy refresh interval
To refresh the GPOs in the system
$ adgpupdate
To refresh only computer GPOs
$ adgpupdate --target Computer
To refresh only user GPOs
$ adgpupdate --target User
adgpresult - to view a RSOP (resultant set of policy) to the local system or user
To view the report for computer and user
$ adgpresult
To view the report for the computer
$ adgpresult --computer
To view the report for the current
$ adgpresult --user
To view the report for a particular user
$ dzdo adgpresult --user [user.name]
Joining Active Directory
adjoin - joins an Active Directory domain
To run adjoin successfully, you need
- to be root or sudo
- to have the credentials (or the keytab) of an AD user that can join computers to a container (NOT Domain Admin)
- to know the Distinguished Name (e.g. "ou=servers,ou=unix") of the container that you will place the system in AD
- to know the domain name you're joining
- to have a clear network path to the DC or DCs you're using (dns, global catalog, kerberos, ldap, cifs, ntp).
To join AD in workstation/express mode (AD user must be able to add computers to "ou=workstations,ou=unix")
$ sudo adjoin --workstation --container "ou=workstations,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD in Self-Service mode (AD/Centrify admin pre-created the machine ahead of time using AM or Centrify PS) (How we do it at work)
$ sudo adjoin --selfserve [domain.name]
To join AD in zone mode (e.g. Global zone)
$ sudo adjoin --zone Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD in zone mode and don't initialize (precache)
$ sudo adjoin --noinit --zone Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD and trust the Computer for Delegation (must know what you're doing - security implications)
$ sudo adjoin --trust Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD in workstation mode and specify a workstation license
$ sudo adjoin --licensetype "workstation"--workstation --container "ou=workstations,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To use an specific domain controller to join (e.g. dc1.hq.fabrikam.com)
$ sudo adjoin --server dc1.hq.fabrikam.com Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join a Mac in Workstation mode and instruct Centrify to use the Apple algorighm to generate UID/GID scheme
$ sudo adjoin --enableAppleIDGenScheme --container "ou=macs,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD and provide a different "AD name" than the local system name (e.g. adserver vs. localhost)
$ sudo adjoin --name adserver --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD using keytab (kinit Authorized AD user keytab first, then run adjoin without the --user option)
$ env KRB5_CONFIG=[/path/to/krb5.conf] /usr/share/centrifydc/kerberos/bin/kinit -kt /path/to/keytab [principal] $ sudo adjoin --zone Global --container "ou=servers,ou=unix" --verbose [domain.name]
Another way we do it at work:
$ sudo adjoin --zone <zone_name> -u <username> <domain> --name <hostname> --force
Leaving Active Directory
adleave - leaves an Active Directory domain
To run adleave succesfully, you neeed:
- sudo or root
- for online leave, authorized AD user credentials
Leave the domain and disable the computer object (orphan object left behind)
$ dzdo adleave --user [Authorized ADUsername]
Leave the domain and remove computer object (frees license)
$ dzdo adleave --user [Authorized ADUsername] --remove
Offline/forced leave (no AD connectivity required, must clean-up in AD)
$ dzdo adleave --force
Privilege Elevation ("dz" commands)
dzinfo - displays information of the user's access controls
To view self access (all)
$ dzinfo
To view the properties of the role(s), including effectiveness
$ dzinfo --roles
To view how you can access the system (PAM rights)
$ dzinfo --pam
To view the commands you can run
$ dzinfo --commands
To view the computer roles that apply to the system (requires elevation)
$ dzinfo --computer-role
To view authorization information about about another user (requires elevation)
$ dzdo dzinfo [user.name]
To test a command against the role
$ dzinfo --test [path/to/binary] [options]
Centrify-enhanced sudo=
dzdo - centrify-enhanced sudo. Uses Centrify zone data in AD for commands, otherwise identical to sudo.
To view version information (as of 2015, based on sudo 1.8.10p3)
$ dzdo -V
Use man sudo or man dzdo for more.
Need to check what this does:
$ dzdo -l
DirectAudit Commands ("da" commands)
dainfo - shows information about the status of the audit agent
To view the audit agent status
$ dainfo
To view status with verbose output
$ dainfo --diag (or dadiag)
To view contents of the configuration file
$ dainfo --config
To view audited status of another user (must elevate)
$ dzdo dainfo --username lisa.simpson
dacontrol - controls the status/configuration of the directaudit client (requires elevation)
To set the installation (if not set by Group Policy)
$ dzdo dacontrol --installation [installation-name]
To check if the audit agent is enabled
$ dzdo dacontrol --query
To enable direct audit
$ dzdo dacontrol --enable
To disable direct audit
$ dzdo dacontrol --disable
FAQ
What happens when adjoin is run succesfully?
This activates the DirectControl agent (adclient/CentrifyDC service).
- Creates a computer object in AD and sets SPNs for http, host, nfs, cifs, afpserver
- Establishes a secure communication channel between the system and Active Directory
- A forest/domain/site map is created to locate the nearest DCs
- The Kerberos environment (krb5.conf, krb5.keytab) are maintained by Centrify (configurable). A backup is created.
- Network time is synchronized with AD DCs (configurable)
- The PAM (Pluggable Authentication Modules) are modified to include Centrify auth, account, password, session modules. A back-up of the previous configuration is made.
- The NSS (Name Service Switch) providers for users and groups defaults to AD first, then other methods (e.g. files, ldap, etc). A backup of the previous configuration is made.
- Note: in the OS X platform, the PAM/NSS functions are channeled via the Directory Services Plugin API.
- An Access Control Model is enforced depending on the zone mode:
- In zone mode: Authorization (RBAC) follows zone rules (defaults to closed, only authorized users can access and enabled groups are visible)
- In express/workstation mode: Only Authentication is facilitated. The system is open for all AD users and all groups are visible.
- Privilege Elevation: Centrify-enhanced sudo (dzdo) becomes active based on the roles/rights defined.
- User/Group identity (RFC2307) data in AD is stored within the Centrify zone, NOT with the user/group object.
- The virtual registry is initialized and group policies are enforced.
What happens when adleave is run succesfully?
- Online the --remove object: The object in AD is removed from the container and from the zone (frees license)
- Online the without --remove object: The object in AD is marked as disabled. Must be ovewritten to rejoin.
- Offline: The object in AD is left orphaned. Cleanup must happen via any Centrify API (AM, PowerShell, adedit)
- The UNIX environment is reset and rolled back (Kerberos, PAM, NSS)
- The Centrify adclient (CentrifyDC) service is disabled.
Important Files and Folders
- /usr/share/centrifydc/
- /bin > contains user binaries, including centrify-enhanced openldap tools like ldapsearch
- /sbin > contains system binaries, including adcert and centrify-enhanced OpenSSH
- /samples > sample files for hadoop, adedit and local account management
Note: on OS X El Capitan, things changed to /usr/local/share/centrifydc
- /etc/centrifydc
- /centrifydc > config files for the DirectControl agent
- /centrifyda > config files for the DirectAudit agent
- /centrifycc > config files for the Privilege Service CLI Toolkit for AAPM
- /openldap > config files for Centrify-enhanced OpenLDAP proxy if installed
- /ssh > config files for Centrify-enhanced OpenSSH
- var/centrifydc
- kset* files > dynamic information about the environment
- reg > virtual registry, contains the computer and user hives (user GPO disabled on Servers)
- /var/centrify
- net/certs > location of any Microsoft Certificate Authorithy auto-enrolled certs, keys and trust chain