11 April,19 at 11:50 AM
Background
There are several kinds of non-user accounts like local admin accounts (e.g. root, Administrator), application service accounts (e.g. oracle, Apache), network services (e.g. hdfs, yarn) or batch job/multi-tier apps (e.g. sftp, ssh, etc.) The goal of Local Account management is to leverage the existing management infrastructure and framework (Active Directory, Centrify Zones, DirectMange/PowerShell/UNIX adedit) and the Centrify client (DirectControl) to provide an additional set of security controls. Centrify Suite 2016 provides the ability to:
We will provide the basic building blocks for you to evaluate this feature in your lab to explore the feasibility of it.
Like other posts, we'll use the Plan-Do-Check-Adjust model.
Planning
Use these planning steps for your test environment. We'veve added enough information that can be recycled towards production deployments.
Potential Stakeholders
Technical Requirements
Active Directory and Centrify
Password Management (optional)
Resources
How Local Account Management Works
The design and management is very similar to what you're used today with Centrify and UNIX-enabled AD users or Groups.
Information about the local user or group is stored in Active Directory. The local users or groups are defined in the zone. The scope of the local account is determined by where the identity is defined and the role that is assigned. For example, if an account should exist and be enabled in all servers, then it's defined in the topmost zone and assigned a role with visibility at that level. If it should only be visible to a group of systems (e.g. Database Servers) this can be done at the child zone or computer role level. The management is exactly identical to UNIX-enabled AD users.
Once the changes are made in AD and the flush interval passes (or the adflush command is issued) the local account actions will be triggered.
There are additional CLI tools:
A Basic Lab Design
In my test environment I have:
1. An AD domain (centrify.vms) with a single domain controller (dc.centrify.vms)
2. A domain-joined server called "member" that has Access Manager installed (Suite 2016)
3. A Centrify zone called global with 2 computer roles: App Servers and Web Servers
4. Two Linux servers (engubu1404 in the App Servers collection and engcen6 a Web Server)
5. Optional: because I'll be testing the password lifecycle management, I have a CPS tenant and a cloud connector running on member. CPS will provide the shared account password management functionality and workflow.
Use Cases
We are going to focus in several use cases:
Local UNIX Group Tests
Local UNIX UserTests
Local User and Password Management (optional*)
Implementation
Download and Install the Centrify Suite 2016 bits
Although these steps should be straightforward to you, they are documented here:
General Test Cadence
There's a simple methodology to these tests:
For example, if you create a new UNIX group called my-group (GID 3232) in all systems, after an adflush all systems should produce the same result. If you do this in an individual system (or group of systems.
Differences between Group and User tests
a) Local Users follow the same rules as UNIX-enabled AD users
Local users must have an identity and a role assigned to be visible in a system. This allows for you to scope the visibility to the zone (all), child-zone (subset), computer role (subset) or individual system. This differs from Groups that can be enabled at the zone, child-zone or individual system.
You can even time-bound the visibility of the role assigned to a local user.
b)Users must belong to at least a singe existing primary group
Otherwise, the provisioning won't work.
c) Post-provisoning actions must be defined via parameter or GPO
Provisioning users does not mean that home directories, environment variables or the password lifecycle will be handled by the Centrify agent; those actions are customizable. Centrify provides a parameter called adclient.local.account.notification.cli; it can be used with a provided script /usr/share/centrifydc/samples/localaccmgmt/handle_local_accts.sh to perform these actions.
d) Don't fall in the poor habits
Always prefer computer roles (users) and child zones (users, groups) instead of computer overrides.
Local Group Testing Video
Local User Testing Video (without actions)
Testing local user provisioning plus actions
Using the provided handle_local_accts.sh to enable provisioning actions
In order to allow for actions to be performed upon user provisioning (or de-provisioning), Centrify provides a sample script called handle_local_accts.sh that will perform actions like assign a random password, create home directories, etc. To enable this script:
$ dzdo vi /etc/centrifydc/centrifydc.conf # search for adclient.local.account.notification.cli # enable the parameter by removing the pound and # set it to the path of the sample file adclient.local.account.notification.cli /usr/share/centrifydc/samples/localacctmgmt/handle_local_accts.sh
# use access manager to enable the account (e.g. james-foo) $ dzdo /usr/share/centrifydc/bin/admanagelocal --reload $ getent passwd managed-all # this should confirm that the user is enabled $ ls -l /home # there should be an entry for the recently-created account
Testing local user provisioning plus password management
Using CPS to manage the password lifecycle of a Centrify-provisioned local user account
This test can be performed with any password manager that provides UNIX/Linux-based CLI utilities. The idea is that upon local account creation, the password manager is notified of the account creation, the password is randomized, changed and managed by the solution. This example uses Centrify Privilege Service to illustrate the use case.
To set up this test, you need to have a CPS tenant with a Cloud Connector that can reach your systems and a Linux system with the CLI Toolkit.
# install the CPS CLI toolkit bits $ dzdo yum install centrifycc-rhel6-x86_64.rpm # add the system as a CPS resource $ dzdo cjoin -k -n engcen7 -a engcen7.centrify.vms # The command joins a system using Kerberos, names it engcen7 and gives it the # hostname/ip of engcen7.centrify.vms (FQDN instead of address). # You can verify the status using the cinfo command.
$ dzdo vi /etc/centrifydc/centrifydc.conf # modify the parameter below adclient.local.account.notification.cli /usr/share/centrifycc/samples/localacctmgmt/handle_local_accts.sh
Provisioning local account with actions (random password/home directory) video
Provisioning local account with password lifecycle management (requires CPS or Password Manager)
This last video provides an example of Server Suite and Privilege Service working together:
Adjustments
There are several improvements to be made, for example: