WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
36
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
PAGE 36
In addition to creating a new Active Directory computer account and configuring the UNIX
computer to allow authorized users to log on, the join operation also performs the
following tasks:
·
Synchronizes the local computer's time with Active Directory to ensure that the
timestamp of Kerberos tickets is within the acceptable time period to allow for
authentication.
·
Updates the Kerberos principal service names used by the host computer, generating
new Kerberos configuration files, krb5.keytab files, and new service keys for the host
and for the HTTP service.
·
Sets the password on the Active Directory computer account for the UNIX computer
to a randomly-generated password. The password is encrypted and stored locally to
ensure that only DirectControl controls the account.
·
Starts the Centrify DirectControl daemon (adclient).
For more information about the options you can specify when joining a UNIX computer to
an Active Directory domain, see the section "Joining UNIX Computers to Active Directory"
later in this guide and see the Centrify man page for the adjoin command or the Centrify
DirectControl Administrator's Guide.
Restarting Running Services
You might need to restart certain services on UNIX computers on which you install the
Centrify DirectControl Agent to ensure that those services reread the system
configuration files that DirectControl updates. The most common services that must be
restarted are sshd (the secure shell [SSH] login daemon) and gdm (the GNOME Display
Manager [GDM] graphical login program). If you use these services, you need to restart
them.
For example, to restart sshd, type the following command:
/etc/init.d/sshd restart
Alternatively, you can reboot the computer to restart all services.
Because the applications and services running on different servers might vary, a good
practice is to reboot each computer to ensure that all of the applications and services on
the computer read the DirectControl configuration changes.
Performing Quick Validation Tests
At this stage in the Development phase, it is advisable to run validation tests to ensure
that the software is installed correctly and is providing basic services. Later, the section
"Testing and Stabilizing Authentication and Authorization" provides more comprehensive
information about how to test the DirectControl solution.
Confirming Configuration of Users and Groups
After completing the steps described earlier in the sections "Creating Test Users and
Groups," "Configuring Active Directory with the first DirectControl Zone," and "Enabling
Groups and Users for UNIX," you have a default Zone with two users (testuser and
testadmin) and two groups (FinanceUsers and FinanceAdmins) enabled as members
of the default Zone.
For this validation test, you use the following procedure to check that testuser and
FinanceUsers are configured correctly.
To confirm that testuser and FinanceUsers are configured correctly
1. On a Windows computer on which you ran the Centrify DirectControl Setup Wizard,
open Active Directory Users and Computers.