So you're already managing user accounts in Active Directory - but what about those pesky system accounts you're still managing in /etc/passwd? Wouldn't it be great to manage them with Centrify too? In this article we'll demonstrate how to securely manage local accounts using a combination of Centrify Server Suite and Centrify Privilege Service.
1. Centrify Server Suite - You will need Centrify Server Suite (2016 or later) deployed in your environment for the Local Account Provisioning feature.
2. Centrify Privilege Service - to be used for the secure storge of the local account password.
2b. You will also need a Centrify Connector running somewhere in your environment to facilitate communications between the Linux server and Centrify Privilege Service.
3. We will also leverage the Centrify Privilege Service CLI toolkit which is packaged with the CPS Linux Agent to set the password programmatically. (You can obtain this by logging into CPS, Setting --> Centrify Agent)
Step 1 - Create the Local Account
Lets create the local account quickly and easily using Centrify Server Suite. Open Centrify Access Manager and create the local account by expanding the zone, expanding "UNIX Data" and selecting Local Users. Right click and "Add User to Zone". Fill in the local account details. (Note: You may wish to create a local group before creating the local user).
(Tip: See a more detailed explanation of this process by Centrify Professional Services All-Star tchariya here.)
Step 2 - Secure the Password
We will leverage the Centrify Privilege Service CLI toolkit to secure the local account password.
First, log into the target resource and verify the local accout has been created:
(Tip: Run adflush to get the account to populate if you had just created it in Access Manager).
Secure the password in Centrify Privilege Service using the csetaccount CLI command with the following parameters to generate a random managed password for the account testlocal2:
dzdo csetaccount -P -m testlocal2
Finally, go into Centrify Privilege Service and verify the account has been added. (Resources --> Servername --> Accounts)
(Note: Don't forget to edit the permissions on the newly added account to allow other Centrify Privilege Service users to interact with the account (e.g. request access to the account, check out the password, or log in remotely).
As an example, here is the password that was securely generated for the account.
The password can be retrieved from the Centrify Privilege Service web interface or programmatically from the UNIX/Linux commandline using the command cgetaccount, like in this example shell script which places it in a variable. This is a good way to avoid using cleartext passwords in scripts.
PASSWORD=$(dzdo /usr/sbin/cgetaccount --silent engcen6.centrify.vms/testlocal2)
(Note: There are additional examples of this provided with the Centrify Privilege Service Linux Agent - look in the /usr/share/centrifycc/samples/apppassword/ directory).
The process described in this article can be automated! There is a sample script provided with the CPS Linux Agent that illustrates how to automatically set random passwords and create home directories for new local accounts, how to set random passwords for newly unlocked local users, and to display users that were removed/locked. (The script can be found in /usr/share/centrifycc/samples/localacctmgmt/).
And there you have it, a better way to manage local accounts securely using the Centrify Identity Platform!