The release of CSS2016 has brought a lot of cool new features many have been talking about on these forums. One of the best features engineered into our product this release allows for unix administrators to manage local/system/service accounts through DirectManage Access Manager.
Let us level set for a moment. Sure, Server Suite has always been able to provide authentication and authorization (sudo replacement with dzdo) from Active Directory down to the unix nodes. But that type of AD bridging didn't work well for any accounts used by an application or process that wasn't compiled to read the PAM stack. In other words, the unix account needed to exist in /etc/passwd in order for the application to work. This added a level of unix administration to manage these accounts locally on every server, including uid/gid management, password management and potentially privilege management through sudoers.
Centrify Server Suite 2016 will now allow unix administrators to truly manage those local accounts through Access Manager. Let me show you how this is accomplished.
You will need to have 2016 version of DirectControl Access Manager installed on a Windows target and you will need to upgrade your unix clients to the 2016 version to take advantage of this new feature.
When you open the Access Manager console and expand on the 'UNIX Data' tree, you will see a few new sections labelled 'Local Users' and 'Local Groups'.
Right-Click 'Local Users' to 'Add User to Zone'
Provide the Unix User name:
Then fill in the Unix user profile:
Two options at the bottom are also new. First, local users that are 'Assign local listed role to make this user visible' option will be visible in Access Manager.
Second, the 'State' of the local account is import. Here we see three options
Enable: If the user profile is complete, the local user will be
Once you have completed the local user set, you will need to enable the local account management feature (by default it is off). There are 2 ways in enabling the local account management feature:
1. Through GP (will require either our admx templates or install the GP extension):
"Computer Configuration" -> "Centrify Settings" -> "DirectControl Settings" -> "Local Account Management"
-> "Enable local account management feature"
2. Through the /etc/centrifydc/centrifydc.conf file:
a. Add the below entry into the config file:
b. Save and run adreload to take effect.
After that, you can wait until the cache refresh or run the below command to reload the local account:
[root@red7 ~]# /usr/share/centrifydc/bin/admanagelocal -R
From here, you could consider adding privilege rights for the local unix account you just created through DirectAuthorize. You could also add AD account credentials by mapping the local unix account back to AD through the Users tab under UNIX Data. The AD password could then be vaulted and accessible through our CPS tools.
Finally, if you consider managing these local unix accounts at the Zone level, you gain the ability to centrally manage the account, taking away the mundane and menial task of managing local unix accounts server by server.