Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2739: How to setup dzdo to prompt for a password for aduser

Authentication Service ,  

12 April,16 at 11:44 AM

Applies to: DirectAuthorize on All Platforms

Question:

How can dzdo be setup to prompt a password for aduser?

Answer:

1. Define the Right in the Zone 
 
Right-click > Definition -> Commands -> General. 
 
Enter a name, e.g.: 'root_any_command', in the 'Attributes' tab set 'Authentication required' and check the box 'User's password'

image01

2. Create a Role Definition in the Zone.

Right-click 'Role Definition' and select 'Add Role', in this example; "test dzdo" (see snapshot 'define-role-dzdo').

 

Select 'test dzdo' right-click and select 'Add Rights', select 'root_any_command' defined from step 1.

image02


3. Role Assignment
 
Right-click and select 'Add User' (in this example, 'lroth' is the aduser) and assign a login role and "test dzdo" role.

image03


4. On the *nix host, verify by running the following commands:

# adflush -a 
-a removes direct authorize information from the authorization store cache )

# dzdo <aduser>
# dzdo <aduser> -A

Using Putty (or any other tool), test the login to the *nix machine as the <aduser> and run:

$ dzdo vi /etc/shadow


***** Sample test on a *NIX host when ADuser logs in and edits the shadow file, it should prompt for a password. *****

Last login: Tue Jan  8 02:11:34 2013 from 172.27.21.184
lroth@ppai5-ubuntu:~$ dzdo vi /etc/shadow

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password Please:
lroth@ppai5-ubuntu:~$ dzdo vi /etc/shadow
Password Please:
lroth@ppai5-ubuntu:~$ id
uid=121636071(lroth) gid=121636071(lroth) groups=121636071(lroth)
lroth@ppai5-ubuntu:~$
 

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?