WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
that you might have added manually. Because of this, DirectControl works seamlessly
with your existing Kerberos-enabled applications.
The following figure illustrates the NSS, PAM, and Kerberos services that are configured
and enabled as part of the DirectControl configuration.
Figure 1.12. NSS, PAM, and Kerberos Services Enabled by DirectControl
The DirectControl software on the UNIX computer installs two daemons that start at
system startup. The first is adclient, which is the most important element in the Centrify
DirectControl Agent architecture. The second, adnisd, is an optional daemon to handle
servicing NIS requests.
The DirectControl adclient daemon manages all of the LDAP and Kerberos
communications between Active Directory and the UNIX computer on which the
daemon is installed. The adclient daemon performs several key tasks related to
synchronizing the local computer's time with the clock maintained by Active Directory.
Synchronization ensures that the timestamp on Kerberos tickets issued by the KDC
are within a valid range.
The DirectControl adnisd daemon intercepts requests to a NIS server for directory
information and redirects these requests to Active Directory. Setting up and enabling
the DirectControl NIS Server is outside the scope of this guide. For more information
about configuring a UNIX computer with the DirectControl NIS Server, see the
Centrify DirectControl Administrator's Guide.
Joining the Active Directory Domain
After you install Centrify DirectControl on a Windows computer and install the
DirectControl Agent on one or more UNIX computers, you can join the UNIX computer to
any Active Directory domain in the forest and can use existing Active Directory groups
Joining the Active Directory Domain After you install Centrify DirectControl on a Windows computer and install the DirectControl Agent on one or more UNIX computers, you can join the UNIX computer to any Active Directory domain in the forest and can use existing Active Directory groups