WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
Because mapping a local UNIX user account to an Active Directory account gives you
better control over password policies, this technique is especially useful for controlling
access to accounts that have special privileges. For example, the local superuser or root
user account on each UNIX computer has broad authority. By mapping this account to an
Active Directory account and password, you can:
Control access to the root user account because users cannot log on unless they
know the Active Directory password for the account.
Ensure that Active Directory password policies are applied to the root user account
password so that each root user password is complex enough or changed frequently
enough to conform with established security policies.
Although mapping is especially useful for the root user account, you can also map any
local UNIX user account to an Active Directory account. For example, many applications
have their own special user account with permission to perform restricted operations. If
you want to enforce Active Directory password policies for such an account or for any
other local user account, you can do so by mapping the local UNIX account to an Active
Mapping the Root Account to an Active Directory Account for Increased
The most likely candidate for account mapping is the root user because every UNIX
computer has its own root user account. Typically, however, you do not want to create a
single user in Active Directory for the root user account because doing so compromises
the security of your network, giving anyone with the root password root-level access to
every UNIX computer in the forest. To prevent this problem, DirectControl allows you to
map the local root user account to another user name in Active Directory for password
You can specify a separate Active Directory user account for each UNIX computer so
that each root user has a unique name and password. Alternatively, you can use one
Active Directory user account for all root users of a group of UNIX computers so that
there are fewer accounts and passwords to manage.
For example, if you have a group of computers in a DirectControl Zone called WebFarm
and you want to use one Active Directory password for the root account on all of these
computers, create an Active Directory user account called root_WebFarm, and then map
that user to the local root user by using the User Map group policy for UNIX computers.
When a user logs on as root, the user is authenticated with the password for the Active
Directory account that you created. If, for example, the user logs on with a root user
account and the password &tiger1, Centrify DirectControl checks the Active Directory
password for the account (such as root_WebFarm) to which the root user is mapped. If
the password &tiger1 is valid for the Active Directory account, the user is authenticated
and allowed to log on.
By default, DirectControl maps the local root user account to an Active Directory account
called root_zonename. However, you can change the Active Directory account you want
to map to on any computer by using group policy or by modifying the computer's Centrify
DirectControl configuration file, /etc/centrifydc/centrifydc.conf.
You map the local root user account to the default Active Directory user account, by
creating the Active Directory user account that uses the root_zonename naming
To map the local root user account to the default Active Directory user account
1. Create the Active Directory user account that you want to use. For example, if you
want to use the same Active Directory account for the root account on all computers
in the Zone WebFarm, create an Active Directory user account called root_WebFarm.
2. On a UNIX computer, open the Centrify DirectControl configuration file