Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2064: Understanding the AD user log-on process

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 10:59 AM

Applies to: All versions of DirectControl

Question:
Can you help understand the process for a typical log on request at a workstation/server which is running DirectControl agent ?

Answer:
The following figure provides a simplified view of a typical log-on process when using Centrify DirectControl.





























When a user starts the UNIX computer, the following takes place:

  1. A login process starts and prompts the user to supply a user name.

  2. The user responds by entering a valid local or Active Directory user name.

  3. The login process, which is a P AM-enabled program, then reads the P AM configuration file, /etc/pam.conf, and determines that it should use the Centrify DirectControl PAM service, pam_centrifydc, for identification. The UNIX login process then passes the log-in request and the user name to the Centrify DirectControl Pluggable Authentication Module (PAM) service for processing.

  4. The PAM service checks parameters in the Centrify DirectControl configuration file to see if the user name entered is an account that should be authenticated locally.

    • If the user should be authenticated locally, the PAM service passes the log-in request to the next PAM module in the PAM configuration file, for example, to the local configuration file /etc/passwd.

    • If the user is not set to be authenticated locally, the PAM service checks to see if the Centrify DirectControl agent process,adclient, is running. If it is, the PAM service passes the log-in request and user name to adclient for processing.

  5. The adclient process connects to Active Directory and queries the Active Directory domain controller to determine whether the user name included in the request is a Centrify DirectControl user who has access to computers in the current computer’s zone.

    • If adclient is unable to connect to ActiveDirectory,it queries the local cache to determine whether the user name has been successfully authenticated before.

    • If adclient can connect to Active Directory but the user account does not have access to computers in the current zone or if the user can’t be found in Active Directory or the local cache, adclient checks the Centrify DirectControl configuration file to see if the user name is mapped to a different Active Directory user account.

    • If the username is mapped to another Active Directory account in the configuration file, adclient queries the Active Directory domain controller or local cache to determine whether the mapped user name has access to computers in the current computer’s zone.

  6. If the user has a UNIX profile for the current zone, adclient receives the zone-specific information for the user, such as the user’s UID, the user’s local UNIX name, the user’s global Active Directory user name, the groups of which the user is a member, the user’s home directory, and the user’s default shell.

  7. The adclient process queries through the NSS service to determine whether there are any users logged in with same UID. If there are no conflicts, the log-in request continues and adclient passes the request to the PAM service to have the UNIX login process prompt for a password.

  8. The UNIX login process prompts the user to provide a password and returns the password to the PAM service.

  9. The PAM service checks parameters in the Centrify DirectControl configuration file to see if any user or group filtering has been specified to allow or deny access to specific user or group accounts. If any filtering has been specified, the current user is either allowed to continue with the login process or denied access.

  10. If the current user account is not prevented from logging on by user or group filtering, the PAM service queries adclient to see if the user is authorized to log on.

  11. The adclient process queries the Active Directory domain controller through Kerberos to determine whether the user is authorized to log on to the current computer at the current time.

  12. The adclient process receives the results of its authorization request from Active Directory and passes the reply to the PAM service.

    • If the user is not authorized to use the current computer or to log in at the current time, the PAM service denies the user’s request to log on through the UNIX login process.

    • If the user’s password has expired, the PAM service sends a request through the UNIX login process asking the user to change the password. After the user supplies the password, log-in succeeds.

    • If the user’s password is about to expire, the PAM service notifies the user of impending expiration through the UNIX login process.

    • If the user is authorized to logon and has a current password, the login process completes successfully. If this is the first time the user has logged on to the computer through Centrify DirectControl, the PAM service creates a new home directory on the computer in the location specified in the Centrify DirectControl configuration file by the parameter pam.homeskel.dir.

The same details can be found under DirectControl Admin Guide - Section "Understanding the log-on process" 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.