Centrify/Delinea

From DikapediaV2
Revision as of 14:42, 21 August 2024 by Ardika Sulistija (talk | contribs) (Created page with "This is the Centrify for UNIX/Linux/Mac Command Line Cheat Sheet<br> Ref: https://centrifying.blogspot.com/2016/02/centrify-for-unix-cli-cheat-sheet.html ====AD-bridging commands ("ad" commands)==== ---- <b>adcheck</b> - check OS, network and AD readiness for Centrify DirectControl To check the system with domain (e.g. corp.contoso.com) $ adcheck corp.contoso.com To only perform OS checks $ adcheck --test os To only perform network-related tests $ adcheck --test n...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This is the Centrify for UNIX/Linux/Mac Command Line Cheat Sheet
Ref: https://centrifying.blogspot.com/2016/02/centrify-for-unix-cli-cheat-sheet.html


AD-bridging commands ("ad" commands)


adcheck - check OS, network and AD readiness for Centrify DirectControl

To check the system with domain (e.g. corp.contoso.com)

$ adcheck corp.contoso.com

To only perform OS checks

$ adcheck --test os

To only perform network-related tests

$ adcheck --test net corp.contoso.com

To only perform AD-related tests

$ adcheck --test ad corp.contoso.com

To check the system with a service domain controller (e.g. dc1)

$ adcheck --servername dc1 corp.contoso.com

To check connectivity only with DCs within the site

$ adcheck --siteonly corp.contoso.com

To check only on 3 (or n) DCs in a large domain

$ adcheck --bigdommain 3 corp.contoso.com

To check trust relationships (e.g. with hq.fabrikam.com)

$ adcheck --xdomain corp.contoso.com

To skip NTP checking (if you are not doing sync with AD DCs)

$ adcheck --skip-ntp corp.contoso.com


adinfo: provides information about the status of the agent

Looking-up Basic Information To check the general status of the client

$ adinfo

To see the current domain controller the client is using

$ adinfo --server

To see the current domain the agent is joined to

$ adinfo --domain

To see the status (mode) of the agent (connected to ad or in offline mode)

$ adinfo --mode

To see the version of the installed client

$ adinfo --version

To see the corresponding Centrify Suite Version

$ adinfo --suite-version

To view Active Directory connectivity to the current domain

$ adinfo --test

To view the current Active Directory site

$ adinfo --site

To see the current joined Centrify zone

$ adinfo --zone
$ adinfo --zonedn  (in distinguishedName format)


DNS

To check for the "joined-as" name (local host name and joined as name may be different)

$ adinfo --name

To check the status of the DNS cache and stats

$ adinfo --diag dns


Connectivity

To check connectivity with an AD domain

$ adinfo --test [domain.name]

To check network connectivity statistics

$ adinfo --sysinfo neststate

To test connectivity against a specific domain controller

$ adinfo --T --servername [domain.controller.name]


Active Directory

To see the current AD Global Catalog

$ adinfo --gc

To see the domain/forest map

$ adinfo --sysinfo domain

To see the status of the AD computer trust relationship

$ adinfo --sysinfo adagent

Testing a user's password

$ adinfo -A --user [username] 
# this will prompt you for a password, the output is:
Password for user "username" is correct/incorrect
Configuration

To parse the contents of the centrify.conf file

$ adinfo --config

To show the client's in memory configuration parameters

$ adinfo --sysinfo config


Kerberos

To view Kerberos information like supported encryption types, key version and registered SPNs

$ adinfo --computer

To view the updated Kerberos configuration in the local system

$ cat /etc/krb5.conf

To list the principals in the system's krb5.conf file

$ dzdo /usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5.keytab

To determine the encryption types of the system's cached ticket

$ dzdo /usr/share/centrifydc/kerberos/bin/klist -fe /etc/krb5.ccache


PKI

adcert - centrify Microsoft PKI client

To perform auto-enrollment of Computer PKI certificates (requires elegible template and communications) Using the computer object to authenticate

$ dzdo /usr/share/centrifydc/sbin/adcert --enroll --machine

Using a user to authenticate

$ dzo /usr/share/centrifydc/sbin/adcert --enroll --user [ADusername]


Dynamic DNS


addns - a dynamic DNS client for AD DNS or RFC 2136-compliant servers

To renew DNS using machine credentials

$ sudo addns --update --machine

To renew DNS using user credentials

$ sudo addns --update --user [ADusername]

To renew DNS only on a specific interface (e.g. eth0)

$ sudo addns --update --machine --interface eth0


Querying Centrify-enabled AD Users and Groups


adquery: provides information about Active Directory users and groups that are UNIX-enabled by Centrify

To view all Centrify UNIX-enabled users

$ adquery user

will show all AD users in Express mode / Only authorized in Zone mode To view all Centrify UNIX-enabled groups

$ adquery groupwill show all AD groups in Express mode / Only unix-enabled in Zone mode

To view a user's entry (UNIX passwd file style)

$ adquery user [username]

To view a group entry (UNIX group filestyle)

$ adquery group [groupname]

To view only the user or group's AD group memberships

$ adquery user [user] --adgroup

To view all information about a user or group (including AD object attributes)

$ adquery user|group [user or group] -A

To view the distinguishedName a user or group

$ adquery user|group [user or group] --dn

To view all information and include password expiration, account lockout/enabled state

$ sudo adquery user [user] -A

To view information about a computer

$ adquery user [computername]$ -A

To get results from cache (instead of fetching from AD)

$ adquery user|group [options] --cache-first


Centrify Cache Commands


adflush - clears the Centrify cache in the local computer (dc, gc, credential & dns)

To flush the authorization cache

$ dzdo adflush --auth

To rebind and force a new DC selection

$ dzdo adflush --bindings

To flush the DNS cache

$ dzdo adflush --dns

To expire the information from domain controllers and global catalogs

$ dzdo adflush --expire

To force complete removal/expiration even when disconnected (use carefully)

$ dzdo adflush --force

To refresh the krb5.conf file

$ dzdo adflush --trusts

To clear the health history

$ dzdo adflush --health

To clear the cloud connectors (in MFA scenarios)

$ dzdo adflush --connectors


Group Policy-related Commands


adgpupdate - triggers the group policy refresh interval

To refresh the GPOs in the system

$ adgpupdate

To refresh only computer GPOs

$ adgpupdate --target Computer

To refresh only user GPOs

$ adgpupdate --target User

adgpresult - to view a RSOP (resultant set of policy) to the local system or user

To view the report for computer and user

$ adgpresult

To view the report for the computer

$ adgpresult --computer

To view the report for the current

$ adgpresult --user

To view the report for a particular user

$ dzdo adgpresult --user [user.name]


Joining Active Directory


adjoin - joins an Active Directory domain

To run adjoin successfully, you need

  • to be root or sudo
  • to have the credentials (or the keytab) of an AD user that can join computers to a container (NOT Domain Admin)
  • to know the Distinguished Name (e.g. "ou=servers,ou=unix") of the container that you will place the system in AD
  • to know the domain name you're joining
  • to have a clear network path to the DC or DCs you're using (dns, global catalog, kerberos, ldap, cifs, ntp).

To join AD in workstation/express mode (AD user must be able to add computers to "ou=workstations,ou=unix")

$ sudo adjoin --workstation --container "ou=workstations,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

To join AD in Self-Service mode (AD/Centrify admin pre-created the machine ahead of time using AM or Centrify PS) (How we do it at work)

$ sudo adjoin --selfserve [domain.name]

To join AD in zone mode (e.g. Global zone)

$ sudo adjoin --zone Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

To join AD in zone mode and don't initialize (precache)

$ sudo adjoin --noinit --zone Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

To join AD and trust the Computer for Delegation (must know what you're doing - security implications)

$ sudo adjoin --trust Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

To join AD in workstation mode and specify a workstation license

$ sudo adjoin --licensetype "workstation"--workstation --container "ou=workstations,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

To use an specific domain controller to join (e.g. dc1.hq.fabrikam.com)

$ sudo adjoin --server dc1.hq.fabrikam.com Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

To join a Mac in Workstation mode and instruct Centrify to use the Apple algorighm to generate UID/GID scheme

$ sudo adjoin --enableAppleIDGenScheme --container "ou=macs,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

To join AD and provide a different "AD name" than the local system name (e.g. adserver vs. localhost)

$ sudo adjoin --name adserver --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

To join AD using keytab (kinit Authorized AD user keytab first, then run adjoin without the --user option)

$ env KRB5_CONFIG=[/path/to/krb5.conf] /usr/share/centrifydc/kerberos/bin/kinit -kt /path/to/keytab [principal]
$ sudo adjoin --zone Global --container "ou=servers,ou=unix" --verbose [domain.name]

Another way we do it at work:

$ sudo adjoin --zone <zone_name> -u <username> <domain> --name <hostname> --force


Leaving Active Directory


adleave - leaves an Active Directory domain

To run adleave succesfully, you neeed:

  • sudo or root
  • for online leave, authorized AD user credentials

Leave the domain and disable the computer object (orphan object left behind)

$ dzdo adleave --user [Authorized ADUsername]

Leave the domain and remove computer object (frees license)

$ dzdo adleave --user [Authorized ADUsername] --remove

Offline/forced leave (no AD connectivity required, must clean-up in AD)

$ dzdo adleave --force


Privilege Elevation ("dz" commands)


dzinfo - displays information of the user's access controls

To view self access (all)

$ dzinfo

To view the properties of the role(s), including effectiveness

$ dzinfo --roles

To view how you can access the system (PAM rights)

$ dzinfo --pam

To view the commands you can run

$ dzinfo --commands

To view the computer roles that apply to the system (requires elevation)

$ dzinfo --computer-role

To view authorization information about about another user (requires elevation)

$ dzdo dzinfo [user.name]

To test a command against the role

$ dzinfo --test [path/to/binary] [options]


Centrify-enhanced sudo=


dzdo - centrify-enhanced sudo. Uses Centrify zone data in AD for commands, otherwise identical to sudo.

To view version information (as of 2015, based on sudo 1.8.10p3)

$ dzdo -V

Use man sudo or man dzdo for more.

Need to check what this does:

$ dzdo -l


DirectAudit Commands ("da" commands)


dainfo - shows information about the status of the audit agent

To view the audit agent status

$ dainfo

To view status with verbose output

$ dainfo --diag  (or dadiag)

To view contents of the configuration file

$ dainfo --config

To view audited status of another user (must elevate)

$ dzdo dainfo --username lisa.simpson

dacontrol - controls the status/configuration of the directaudit client (requires elevation)

To set the installation (if not set by Group Policy)

$ dzdo dacontrol --installation [installation-name]

To check if the audit agent is enabled

$ dzdo dacontrol --query

To enable direct audit

$ dzdo dacontrol --enable

To disable direct audit

$ dzdo dacontrol --disable


FAQ


What happens when adjoin is run succesfully?

This activates the DirectControl agent (adclient/CentrifyDC service).

  1. Creates a computer object in AD and sets SPNs for http, host, nfs, cifs, afpserver
  2. Establishes a secure communication channel between the system and Active Directory
  3. A forest/domain/site map is created to locate the nearest DCs
  4. The Kerberos environment (krb5.conf, krb5.keytab) are maintained by Centrify (configurable). A backup is created.
  5. Network time is synchronized with AD DCs (configurable)
  6. The PAM (Pluggable Authentication Modules) are modified to include Centrify auth, account, password, session modules. A back-up of the previous configuration is made.
  7. The NSS (Name Service Switch) providers for users and groups defaults to AD first, then other methods (e.g. files, ldap, etc). A backup of the previous configuration is made.
    1. Note: in the OS X platform, the PAM/NSS functions are channeled via the Directory Services Plugin API.
  8. An Access Control Model is enforced depending on the zone mode:
    1. In zone mode: Authorization (RBAC) follows zone rules (defaults to closed, only authorized users can access and enabled groups are visible)
    2. In express/workstation mode: Only Authentication is facilitated. The system is open for all AD users and all groups are visible.
  9. Privilege Elevation: Centrify-enhanced sudo (dzdo) becomes active based on the roles/rights defined.
  10. User/Group identity (RFC2307) data in AD is stored within the Centrify zone, NOT with the user/group object.
  11. The virtual registry is initialized and group policies are enforced.
What happens when adleave is run succesfully?
  1. Online the --remove object: The object in AD is removed from the container and from the zone (frees license)
  2. Online the without --remove object: The object in AD is marked as disabled. Must be ovewritten to rejoin.
  3. Offline: The object in AD is left orphaned. Cleanup must happen via any Centrify API (AM, PowerShell, adedit)
  4. The UNIX environment is reset and rolled back (Kerberos, PAM, NSS)
  5. The Centrify adclient (CentrifyDC) service is disabled.


Important Files and Folders


  • /usr/share/centrifydc/
    • /bin > contains user binaries, including centrify-enhanced openldap tools like ldapsearch
    • /sbin > contains system binaries, including adcert and centrify-enhanced OpenSSH
    • /samples > sample files for hadoop, adedit and local account management

Note: on OS X El Capitan, things changed to /usr/local/share/centrifydc

  • /etc/centrifydc
    • /centrifydc > config files for the DirectControl agent
    • /centrifyda > config files for the DirectAudit agent
    • /centrifycc > config files for the Privilege Service CLI Toolkit for AAPM
    • /openldap > config files for Centrify-enhanced OpenLDAP proxy if installed
    • /ssh > config files for Centrify-enhanced OpenSSH
  • var/centrifydc
    • kset* files > dynamic information about the environment
    • reg > virtual registry, contains the computer and user hives (user GPO disabled on Servers)
  • /var/centrify
    • net/certs > location of any Microsoft Certificate Authorithy auto-enrolled certs, keys and trust chain