11 April,19 at 11:49 AM
There currently are a lot of great articles on Community and in our Knowledge Base that help you configure and tweak Centrify Server Suite to meet your needs in your Unix and Windows environment. But there is a lack of online resources that discuss the different tools Centrify provides that can address the clean-up of your unix space including /etc/passwd, /etc/group and local file space ie. home directories.
Without diving deep into Hierarchical Zone design, let us assume that you have integrated the use of Centrify Zone Provisioning Agent (ZPA) to auto-provision your unix user and group space, providing the unix environment with brand new and unique UID/GIDs. These UID/GIDs would be stored in Centrify Zone structure inside of Active Directory and pushed down to your unix environment as needed.
If the UID/GID space was maintained using local files on a server that has been Centrified, the need to perform a clean-up of that local user and group space as well as the local file space should be considered.
For example, on a local unix server, the /etc/passwd file has the following entry:
[root@engcen5 ~]# tail -4 /etc/passwd
than:x:10057:10057:Than Chariya:/home/than:/bin/bash
wade:x:10063:10063:Wade Tongen:/home/wade:/bin/bash
clyde:x:10025:10025:Clyde Baum:/home/clyde:/bin/bash
tetsu:x:10022:10022:Tetsu Ishii:/home/tetsu:/bin/bash
But, the unix server is now relying on Centrify to provide UID/GID for the environment:
[root@engcen5 ~]# adquery user
clyde:x:1627391092:1627391092:Clyde Baum:/home/clyde:/bin/bash
tetsu:x:1627391091:1627391091:Tetsu Ishii:/home/tetsu:/bin/bash
than:x:1627391106:1627391106:Than Chariya:/home/than:/bin/bash
The first unix command line tool provided by Centrify is adfixid. Looking at the man page for adfixid shows:
adfixid - change the ownership of a local user’s files to match the user and group IDs defined for the user in Active Directory.
If adfixid is run without any flags, the command will display a list of UID/GID that will require ownership changes.
[root@engcen5 ~]# adfixid
3 user-id conflicts were found.
Local UID(Name/Map) Zone UID(Name) Resolution ID Map
------------------------------ ---------------------- -------------- ------
10022(tetsu) 1627391091(tetsu) Use zone ID 1627391091
10025(clyde) 1627391092(clyde) Use zone ID 1627391092
10057(than) 1627391106(than) Use zone ID 1627391106
3 group-id conflicts were found.
Local GID(Name/Map) Zone GID(Name) Resolution ID Map
------------------------------ ---------------------- -------------- ------
10022(tetsu) 1627391091(tetsu) Use zone ID 1627391091
10025(clyde) 1627391092(clyde) Use zone ID 1627391092
10057(than) 1627391106(than) Use zone ID 1627391106
If adfixid –c/--commit is run, the file ownerships UID/GID will change to what specified in AD.
If adfixid –C/--commit-all is run, the file ownerships UID/GID will change and /etc/passwd and /etc/group will be updated.
Running adfixid –C returns:
[root@engcen5 ~]# adfixid -C
15 file(s) changed
Examining the local files returns:
[root@engcen5 ~]# tail -4 /etc/passwd
than:x:1627391106:1627391106:Than Chariya:/home/than:/bin/bash
wade:x:10063:10063:Wade Tongen:/home/wade:/bin/bash
clyde:x:1627391092:1627391092:Clyde Baum:/home/clyde:/bin/bash
tetsu:x:1627391091:1627391091:Tetsu Ishii:/home/tetsu:/bin/bash
[root@engcen5 ~]# cat /etc/group | grep 1627
tetsu:x:1627391091:
clyde:x:1627391092:
than:x:1627391106:
Keep in mind that adfixid command provides for additional options through flags. Unix administrators might want to use the –report feature to output the list of files that have their UID/GID changed.
Taking the clean-up task one step further, since the majority of the UNIX user and group identity information is now store in AD, clean-up of the /etc/passwd and /etc/group file should be the next task. Centrify provides an additional command line utility adrmlocal that removes entries from local files that exist in AD.
A quick look-up of the adrmlocal man page shows:
adrmlocal - reports and removes local user names that duplicate Active Directory user names
If adrmlocal is run without any flags, a quick report on the changes that will be made is displayed;no changes will be made:
[root@engcen5 ~]# adrmlocal
3 local user(s) that are duplicated with AD users:
than:uid(1627391106):gid(1627391106):ADuid(1627391106):ADgid(1627391106)
clyde:uid(1627391092):gid(1627391092):ADuid(1627391092):ADgid(1627391092)
tetsu:uid(1627391091):gid(1627391091):ADuid(1627391091):ADgid(1627391091)
4 local group(s) that are duplicated with AD groups:
sysadm:gid(230):ADgid(230)
tetsu:gid(1627391091):ADgid(1627391091)
clyde:gid(1627391092):ADgid(1627391092)
than:gid(1627391106):ADgid(1627391106)
Command summary
Users:
3 duplicated local user(s) to be removed
0 duplicated local user(s) in ignore list
0 duplicated local user(s) deleted
0 error(s) found when removing a local user
Groups:
4 duplicated local group(s) to be removed
0 duplicated local group(s) in ignore list
0 duplicated local group(s) deleted
0 error(s) found when removing a local group
adrmlocal requires one of three flags to be added to make changes; -i/--interactive will step through each entry for removal, -c/--commit will delete all duplicates found and prompt for any conflicts and –f/--force will delete all entries without prompting.
[root@engcen5 ~]# adrmlocal -i
3 local user(s) that are duplicated with AD users:
than:uid(1627391106):gid(1627391106):ADuid(1627391106):ADgid(1627391106)
clyde:uid(1627391092):gid(1627391092):ADuid(1627391092):ADgid(1627391092)
tetsu:uid(1627391091):gid(1627391091):ADuid(1627391091):ADgid(1627391091)
Remove duplicated local users
than:uid(1627391106):gid(1627391106):ADuid(1627391106):ADgid(1627391106)
Delete local user than ? (Yes/No)
y
executing command (/usr/sbin/userdel than )...
Local user than is deleted
clyde:uid(1627391092):gid(1627391092):ADuid(1627391092):ADgid(1627391092)
Delete local user clyde ? (Yes/No)
y
executing command (/usr/sbin/userdel clyde )...
Local user clyde is deleted
tetsu:uid(1627391091):gid(1627391091):ADuid(1627391091):ADgid(1627391091)
Delete local user tetsu ? (Yes/No)
y
executing command (/usr/sbin/userdel tetsu )...
Local user tetsu is deleted
Command summary
Users:
3 duplicated local user(s) to be removed
0 duplicated local user(s) in ignore list
3 duplicated local user(s) deleted
0 error(s) found when removing a local user
Keep in mind that these commands can only be run with elevated root privileges. As always, backup your local files prior to running adfixid or adrmlocal.