Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[GUIDE] Alternative Method to Cleaning Up the Local /etc/password and /etc/group Files

11 April,19 at 11:50 AM

A while back, I wrote an article for this technical forum outlining the use cases as well as the functionality of the adrmlocal and adfixid commands that are packaged with the Direct Control clients installed on the unix servers.

 

Follow this link to review that article: Using adrmlocal and adfixid

 

While adrmlocal works well to remove /etc/passwd entries by targeting matching unix user accounts that are now stored in AD and presented by the Direct Control agent, adrmlocal leaves/ignores user/shared/service account entries that don't exist in AD.

 

Some of these accounts could potentially be managed by a configuration tool, ie Puppet, Chef, Ansible.  Or, these accounts could ultimately be managed by Centrify; account passwords vaulted/rotated and MFA/2FA enabled (CIS/CPS), privileged/sudo rights centrally managed (DirectAuthorize/dzdo) and Kerberos ticketing.

 

But there will be accounts across the local unix environment that are no longer needed. Leaving these local accounts active potentially creates a security risk or end up on an audit report.  Now, you could spend time writing a script to collect these password files, programmatically sort through each entry trying to identify those abandoned local accounts. Or you could delegate the task to a junior systems administrator, who will most likely log into every server and manually identify and remove the abandoned local accounts line by line.

 

But these days, a Centrify Administrator's work can be gauged by the efficiency and accuracy when peforming a task.  In this post, I want to present a methodology to clean up the local /etc/passwd file through the use of our Centrify Deployment Manager tool.  Deployment Manager is packaged with our Server Suite of product. If you have gone through any of the Centrify training or engaged with Centrify's Professional Services team, most likely you are familiar with this tool and have it installed in your environment.

 

If you have not, you will need to install Centrify Deployment Manager. 

The installer files are located in the DirectManage folder of the Server Suite zip files.

 

Screen Shot 2016-09-21 at 2.29.17 PM.png

Once installed, launch the Deployment Manager using the Desktop Icon:

 

Screen Shot 2016-09-21 at 2.37.47 PM.png

 

 The first step is to add the servers you want to have Deployment Manager evaluate.  To do this, Right-Click on 'Computers' and select 'Add Computers..."

 

Screen Shot 2016-09-21 at 2.39.43 PM.png

 

There are several different methods to add computers to Deployment Manager.  I happen to prefer 'Import a computer list from a text file'.  This allows us to be efficient and accurate by only listing servers we are targeting for clean-up.

 

Screen Shot 2016-09-21 at 1.30.01 PM.png

 

Next, provide a text file of servers (either hostname or IP address):

 

Screen Shot 2016-09-21 at 1.32.00 PM.png

 

Then you must provide an account that has privilege access to root either by way of sudo or dzdo.  The root account works as well.

 

Screen Shot 2016-09-21 at 1.42.35 PM.png

 

Then provide the associated account password.

 

Screen Shot 2016-09-21 at 1.42.57 PM.png

 

Once Deployment Manager successfully discovers your servers, it will download a copy of /etc/passwd and /etc/group to the tool.

 

Screen Shot 2016-09-21 at 1.58.51 PM.png

 

You can work individually with each server at this point or choose to work with the consolidated users data for all servers discovered by clicking on 'Local Accounts'.

 

Screen Shot 2016-09-21 at 1.59.12 PM.png

 

On the right pane, you will see the consolidated list of local accounts from all servers discovered.

 

Screen Shot 2016-09-21 at 1.59.33 PM.png

 

Now, the Deployment Manager tool allows the user to sort each column.  Just click the column name and adjust the sorting by Ascending or Descending.

 

Screen Shot 2016-09-21 at 1.59.54 PM.png

 

Sort by UNIX Name:

 

Screen Shot 2016-09-21 at 2.00.16 PM.png

 

Isolate the user you want to remove from the servers' local /etc/passwd file.

 

Screen Shot 2016-09-21 at 2.00.56 PM.png

 

Multi-select entries using control-click or shift-click; then right-click your highlighted selection and choose 'Delete'.

 

Screen Shot 2016-09-21 at 2.01.15 PM.png

 

Deployment Manager will reach out to the server and perform a removal of the accounts you have selected.  Keep in mind, Deployment Manager will not delete the home directories of the users.  Centrify wants to avoid deleting data that might not have been reviewed or migrated by the user/peers/managers.

 

Before:

 

Screen Shot 2016-09-21 at 2.05.48 PM.png

 

After:

 

Screen Shot 2016-09-21 at 2.06.33 PM.png

 

You can also delete local unix groups that you have migrated to Centrify:

 

Screen Shot 2016-09-21 at 2.07.55 PM.png

 

Most Centrify Administrators will only need to clean up ONLY the local user and group files of servers that they have joined to AD.

 

If you have a slick script/tool that you use to manage your local users and group clean-up, please don't hesitate to share it with the community.

 

NOTE:  Some of you who took a close look at the images above, YES...Centrify Deployment Manager can change passwords of local accounts (and in bulk too!).

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles