Ardika Sulistija: Created page with "This is the Centrify for UNIX/Linux/Mac Command Line Cheat Sheet
Ref: https://centrifying.blogspot.com/2016/02/centrify-for-unix-cli-cheat-sheet.html ====AD-bridging commands ("ad" commands)==== ---- adcheck - check OS, network and AD readiness for Centrify DirectControl To check the system with domain (e.g. corp.contoso.com) $ adcheck corp.contoso.com To only perform OS checks $ adcheck --test os To only perform network-related tests $ adcheck --test n..."

2024-08-21T14:42:25Z

Created page with "This is the Centrify for UNIX/Linux/Mac Command Line Cheat Sheet Ref: https://centrifying.blogspot.com/2016/02/centrify-for-unix-cli-cheat-sheet.html ====AD-bridging commands ("ad" commands)==== ---- adcheck - check OS, network and AD readiness for Centrify DirectControl To check the system with domain (e.g. corp.contoso.com) $ adcheck corp.contoso.com To only perform OS checks $ adcheck --test os To only perform network-related tests $ adcheck --test n..."

New page

This is the Centrify for UNIX/Linux/Mac Command Line Cheat Sheet 
Ref: https://centrifying.blogspot.com/2016/02/centrify-for-unix-cli-cheat-sheet.html

====AD-bridging commands ("ad" commands)====
----
adcheck - check OS, network and AD readiness for Centrify DirectControl

To check the system with domain (e.g. corp.contoso.com)
$ adcheck corp.contoso.com
To only perform OS checks
$ adcheck --test os
To only perform network-related tests
$ adcheck --test net corp.contoso.com
To only perform AD-related tests
$ adcheck --test ad corp.contoso.com
To check the system with a service domain controller (e.g. dc1)
$ adcheck --servername dc1 corp.contoso.com
To check connectivity only with DCs within the site
$ adcheck --siteonly corp.contoso.com
To check only on 3 (or n) DCs in a large domain
$ adcheck --bigdommain 3 corp.contoso.com
To check trust relationships (e.g. with hq.fabrikam.com)
$ adcheck --xdomain corp.contoso.com
To skip NTP checking (if you are not doing sync with AD DCs)
$ adcheck --skip-ntp corp.contoso.com

adinfo: provides information about the status of the agent

Looking-up Basic Information
To check the general status of the client
$ adinfo
To see the current domain controller the client is using
$ adinfo --server
To see the current domain the agent is joined to
$ adinfo --domain
To see the status (mode) of the agent (connected to ad or in offline mode)
$ adinfo --mode
To see the version of the installed client
$ adinfo --version
To see the corresponding Centrify Suite Version
$ adinfo --suite-version
To view Active Directory connectivity to the current domain
$ adinfo --test
To view the current Active Directory site
$ adinfo --site
To see the current joined Centrify zone
$ adinfo --zone
$ adinfo --zonedn (in distinguishedName format)

=====DNS=====

To check for the "joined-as" name (local host name and joined as name may be different)
$ adinfo --name
To check the status of the DNS cache and stats
$ adinfo --diag dns

=====Connectivity=====
To check connectivity with an AD domain
$ adinfo --test [domain.name]
To check network connectivity statistics
$ adinfo --sysinfo neststate
To test connectivity against a specific domain controller
$ adinfo --T --servername [domain.controller.name]

=====Active Directory=====
To see the current AD Global Catalog
$ adinfo --gc
To see the domain/forest map
$ adinfo --sysinfo domain
To see the status of the AD computer trust relationship
$ adinfo --sysinfo adagent

Testing a user's password
$ adinfo -A --user [username]
# this will prompt you for a password, the output is:
Password for user "username" is correct/incorrect

=====Configuration=====
To parse the contents of the centrify.conf file
$ adinfo --config
To show the client's in memory configuration parameters
$ adinfo --sysinfo config

=====Kerberos=====
To view Kerberos information like supported encryption types, key version and registered SPNs
$ adinfo --computer
To view the updated Kerberos configuration in the local system
$ cat /etc/krb5.conf
To list the principals in the system's krb5.conf file
$ dzdo /usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5.keytab
To determine the encryption types of the system's cached ticket
$ dzdo /usr/share/centrifydc/kerberos/bin/klist -fe /etc/krb5.ccache

=====PKI=====
adcert - centrify Microsoft PKI client

To perform auto-enrollment of Computer PKI certificates (requires elegible template and communications)
Using the computer object to authenticate
$ dzdo /usr/share/centrifydc/sbin/adcert --enroll --machine
Using a user to authenticate
$ dzo /usr/share/centrifydc/sbin/adcert --enroll --user [ADusername]

====Dynamic DNS====
----
addns - a dynamic DNS client for AD DNS or RFC 2136-compliant servers

To renew DNS using machine credentials
$ sudo addns --update --machine
To renew DNS using user credentials
$ sudo addns --update --user [ADusername]
To renew DNS only on a specific interface (e.g. eth0)
$ sudo addns --update --machine --interface eth0

====Querying Centrify-enabled AD Users and Groups====
----
adquery: provides information about Active Directory users and groups that are UNIX-enabled by Centrify

To view all Centrify UNIX-enabled users
$ adquery user
will show all AD users in Express mode / Only authorized in Zone mode
To view all Centrify UNIX-enabled groups
$ adquery groupwill show all AD groups in Express mode / Only unix-enabled in Zone mode
To view a user's entry (UNIX passwd file style)
$ adquery user [username]
To view a group entry (UNIX group filestyle)
$ adquery group [groupname]
To view only the user or group's AD group memberships
$ adquery user [user] --adgroup
To view all information about a user or group (including AD object attributes)
$ adquery user|group [user or group] -A
To view the distinguishedName a user or group
$ adquery user|group [user or group] --dn
To view all information and include password expiration, account lockout/enabled state
$ sudo adquery user [user] -A
To view information about a computer
$ adquery user [computername]$ -A
To get results from cache (instead of fetching from AD)
$ adquery user|group [options] --cache-first

====Centrify Cache Commands====
----
adflush - clears the Centrify cache in the local computer (dc, gc, credential & dns)

To flush the authorization cache
$ dzdo adflush --auth
To rebind and force a new DC selection
$ dzdo adflush --bindings
To flush the DNS cache
$ dzdo adflush --dns
To expire the information from domain controllers and global catalogs
$ dzdo adflush --expire
To force complete removal/expiration even when disconnected (use carefully)
$ dzdo adflush --force
To refresh the krb5.conf file
$ dzdo adflush --trusts
To clear the health history
$ dzdo adflush --health
To clear the cloud connectors (in MFA scenarios)
$ dzdo adflush --connectors

====Group Policy-related Commands====
----
adgpupdate - triggers the group policy refresh interval

To refresh the GPOs in the system
$ adgpupdate
To refresh only computer GPOs
$ adgpupdate --target Computer
To refresh only user GPOs
$ adgpupdate --target User

adgpresult - to view a RSOP (resultant set of policy) to the local system or user

To view the report for computer and user
$ adgpresult
To view the report for the computer
$ adgpresult --computer
To view the report for the current
$ adgpresult --user
To view the report for a particular user
$ dzdo adgpresult --user [user.name]

====Joining Active Directory====
----
adjoin - joins an Active Directory domain

To run adjoin successfully, you need
* to be root or sudo
* to have the credentials (or the keytab) of an AD user that can join computers to a container (NOT Domain Admin)
* to know the Distinguished Name (e.g. "ou=servers,ou=unix") of the container that you will place the system in AD
* to know the domain name you're joining
* to have a clear network path to the DC or DCs you're using (dns, global catalog, kerberos, ldap, cifs, ntp).

To join AD in workstation/express mode (AD user must be able to add computers to "ou=workstations,ou=unix")
$ sudo adjoin --workstation --container "ou=workstations,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD in Self-Service mode (AD/Centrify admin pre-created the machine ahead of time using AM or Centrify PS) (How we do it at work)
$ sudo adjoin --selfserve [domain.name]
To join AD in zone mode (e.g. Global zone)
$ sudo adjoin --zone Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD in zone mode and don't initialize (precache)
$ sudo adjoin --noinit --zone Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD and trust the Computer for Delegation (must know what you're doing - security implications)
$ sudo adjoin --trust Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD in workstation mode and specify a workstation license
$ sudo adjoin --licensetype "workstation"--workstation --container "ou=workstations,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To use an specific domain controller to join (e.g. dc1.hq.fabrikam.com)
$ sudo adjoin --server dc1.hq.fabrikam.com Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join a Mac in Workstation mode and instruct Centrify to use the Apple algorighm to generate UID/GID scheme
$ sudo adjoin --enableAppleIDGenScheme --container "ou=macs,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD and provide a different "AD name" than the local system name (e.g. adserver vs. localhost)
$ sudo adjoin --name adserver --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]
To join AD using keytab (kinit Authorized AD user keytab first, then run adjoin without the --user option)
$ env KRB5_CONFIG=[/path/to/krb5.conf] /usr/share/centrifydc/kerberos/bin/kinit -kt /path/to/keytab [principal]
$ sudo adjoin --zone Global --container "ou=servers,ou=unix" --verbose [domain.name]
Another way we do it at work:
$ sudo adjoin --zone <zone_name> -u <username> <domain> --name <hostname> --force

====Leaving Active Directory====
----
adleave - leaves an Active Directory domain

To run adleave succesfully, you neeed:
* sudo or root
* for online leave, authorized AD user credentials

Leave the domain and disable the computer object (orphan object left behind)
$ dzdo adleave --user [Authorized ADUsername]
Leave the domain and remove computer object (frees license)
$ dzdo adleave --user [Authorized ADUsername] --remove
Offline/forced leave (no AD connectivity required, must clean-up in AD)
$ dzdo adleave --force

====Privilege Elevation ("dz" commands)====
----
dzinfo - displays information of the user's access controls

To view self access (all)
$ dzinfo
To view the properties of the role(s), including effectiveness
$ dzinfo --roles
To view how you can access the system (PAM rights)
$ dzinfo --pam
To view the commands you can run
$ dzinfo --commands
To view the computer roles that apply to the system (requires elevation)
$ dzinfo --computer-role
To view authorization information about about another user (requires elevation)
$ dzdo dzinfo [user.name]
To test a command against the role
$ dzinfo --test [path/to/binary] [options]

====Centrify-enhanced sudo=====
----
dzdo - centrify-enhanced sudo. Uses Centrify zone data in AD for commands, otherwise identical to sudo.

To view version information (as of 2015, based on sudo 1.8.10p3)
$ dzdo -V
Use man sudo or man dzdo for more.

Need to check what this does:
$ dzdo -l

====DirectAudit Commands ("da" commands)====
----
dainfo - shows information about the status of the audit agent

To view the audit agent status
$ dainfo
To view status with verbose output
$ dainfo --diag (or dadiag)
To view contents of the configuration file
$ dainfo --config
To view audited status of another user (must elevate)
$ dzdo dainfo --username lisa.simpson

dacontrol - controls the status/configuration of the directaudit client (requires elevation)

To set the installation (if not set by Group Policy)
$ dzdo dacontrol --installation [installation-name]
To check if the audit agent is enabled
$ dzdo dacontrol --query
To enable direct audit
$ dzdo dacontrol --enable
To disable direct audit
$ dzdo dacontrol --disable

====FAQ====
----
=====What happens when adjoin is run succesfully?=====
This activates the DirectControl agent (adclient/CentrifyDC service).
# Creates a computer object in AD and sets SPNs for http, host, nfs, cifs, afpserver
# Establishes a secure communication channel between the system and Active Directory
# A forest/domain/site map is created to locate the nearest DCs
# The Kerberos environment (krb5.conf, krb5.keytab) are maintained by Centrify (configurable). A backup is created.
# Network time is synchronized with AD DCs (configurable)
# The PAM (Pluggable Authentication Modules) are modified to include Centrify auth, account, password, session modules. A back-up of the previous configuration is made.
# The NSS (Name Service Switch) providers for users and groups defaults to AD first, then other methods (e.g. files, ldap, etc). A backup of the previous configuration is made.
## Note: in the OS X platform, the PAM/NSS functions are channeled via the Directory Services Plugin API.
# An Access Control Model is enforced depending on the zone mode:
## In zone mode: Authorization (RBAC) follows zone rules (defaults to closed, only authorized users can access and enabled groups are visible)
## In express/workstation mode: Only Authentication is facilitated. The system is open for all AD users and all groups are visible.
# Privilege Elevation: Centrify-enhanced sudo (dzdo) becomes active based on the roles/rights defined.
# User/Group identity (RFC2307) data in AD is stored within the Centrify zone, NOT with the user/group object.
# The virtual registry is initialized and group policies are enforced.

=====What happens when adleave is run succesfully?=====
# Online the --remove object: The object in AD is removed from the container and from the zone (frees license)
# Online the without --remove object: The object in AD is marked as disabled. Must be ovewritten to rejoin.
# Offline: The object in AD is left orphaned. Cleanup must happen via any Centrify API (AM, PowerShell, adedit)
# The UNIX environment is reset and rolled back (Kerberos, PAM, NSS)
# The Centrify adclient (CentrifyDC) service is disabled.

====Important Files and Folders====
----
* /usr/share/centrifydc/
** /bin > contains user binaries, including centrify-enhanced openldap tools like ldapsearch
** /sbin > contains system binaries, including adcert and centrify-enhanced OpenSSH
** /samples > sample files for hadoop, adedit and local account management
Note: on OS X El Capitan, things changed to /usr/local/share/centrifydc

* /etc/centrifydc
** /centrifydc > config files for the DirectControl agent
** /centrifyda > config files for the DirectAudit agent
** /centrifycc > config files for the Privilege Service CLI Toolkit for AAPM
** /openldap > config files for Centrify-enhanced OpenLDAP proxy if installed
** /ssh > config files for Centrify-enhanced OpenSSH

* var/centrifydc
** kset* files > dynamic information about the environment
** reg > virtual registry, contains the computer and user hives (user GPO disabled on Servers)

* /var/centrify
** net/certs > location of any Microsoft Certificate Authorithy auto-enrolled certs, keys and trust chain

Centrify/Delinea - Revision history