Applies to: All versions of Centrify DirectControl on All Platforms
Question:
For Classic Zone, once a new user is added to the Zone, the user will be able to access all the servers inside that Classic Zone.
(No role assignment is required)
For example:
[root@redhat Desktop]# dzinfo str
Zone Status: DirectAuthorize is enabled
User: str
Forced into restricted environment: No
Role Name Avail Restricted Env
--------------- ----- --------------
(str has no roles assigned)
PAM Application Avail Source Roles
--------------- ----- --------------------
(str can use any pam application)
Privileged commands:
Name Avail Command Source Roles
--------------- ----- -------------------- --------------------
(str has no privileged command rights)
[root@redhat Desktop]# ssh str@localhost
str@localhost's password:
Last login: Thu Aug 8 00:28:44 2013 from 192.168.0.111
[str@redhat ~]$
Can the user be limited to only one particular machine in Classic Zone?
Answer:
To achieve this, follow the procedures below after adding the target AD user into the target Classic Zone:
Open up Centrify DirectManage Access Manager console:
- In the target Classic Zone, create a new role called, in below example, "Restricted to Login".
- Right click on the newly created role > Properties, add a redundant PAM access right (in below example, it is called "Restricted to Login") to this role.
- Right click on the newly created role > Assign Users and Groups, assign the target AD user (in below example, AD user is Fred Thomas) with this new role "Restricted to Login". See the screen capture below.
At this stage, AD user Fred Thomas will not have any access right to all the computers in the target Classic Zone.
"dzinfo <user name>" output after running "adflush -f" in the target computer:
[root@redhat Desktop]# dzinfo fred.thomas
Zone Status: DirectAuthorize is enabled
User: fred.thomas
Forced into restricted environment: No
Role Name Avail Restricted Env
--------------- ----- --------------
Restricted to Yes None
Login
Effective rights:
PAM Application Avail Source Roles
--------------- ----- --------------------
Restricted to Yes Restricted to Login
Login
Privileged commands:
Name Avail Command Source Roles
--------------- ----- -------------------- --------------------
(fred.thomas has no privileged command rights)
[root@redhat Desktop]# ssh fred.thomas@localhost
fred.thomas@localhost's password:
Account cannot be accessed at this time.
Please contact your system administrator.
Connection closed by ::1
[root@redhat Desktop]#
- In the target computer that the target AD user will be allowed to access, right-click on a role that grants the user login right (in the example below, it is called "Login Role") > "Assign Users and Groups", assign the target AD user with "Login Role".
See the screen capture below.
Note: Make sure the "Login Role" assigned to target user has the appropriate login right(s).
See the screen capture below for the PAM access right for the "Login Role"
At this stage, AD user Fred Thomas will not have any access right to all the computers in the target Zone, except the for target computer above.
- As local admin or root, run "adflush -f" on the target machine to make the role assignment changes effective, the target user will be able to login to the target machine only.
[root@redhat Desktop]# dzinfo fred.thomas
Zone Status: DirectAuthorize is enabled
User: fred.thomas
Forced into restricted environment: No
Role Name Avail Restricted Env
--------------- ----- --------------
Restricted to Yes None
Login
Login Role Yes None
Effective rights:
PAM Application Avail Source Roles
--------------- ----- --------------------
!* Yes Login Role
ssh* Yes Login Role
Restricted to Yes Restricted to Login
Login
Privileged commands:
Name Avail Command Source Roles
--------------- ----- -------------------- --------------------
(fred.thomas has no privileged command rights)
[root@redhat Desktop]# ssh fred.thomas@localhost
fred.thomas@localhost's password:
Last login: Thu Aug 8 01:00:53 2013 from localhost
[fred.thomas@redhat ~]$
Whenever there is a user that needs a similar arrangement (i.e. prohibit that user from accessing all machines in the Classic Zone apart from one machine), the logic is:
- Add the user to Zone
- Assign the user with "Restricted to Login" role in Zone > Roles
- Assign the user with "Login Role" in Zone > Computers > <target computer> > Role Assignments
- Run "adflush -f" to make changes effective.
Centrify DirectControl version 5 and above offers a better solution for this kind of scenario - Hierarchical Zones.
Please see the following link or contact Centrify if further information is needed:
http://www.centrify.com/directcontrol/zones.asp
KB-6041: How to show current license type in use by adclient