WINDOWS SECURITY AND DIRECTORY SERVICES FOR UNIX USING CENTRIFY DIRECTCONTROL
63
© CENTRIFY CORPORATION 2004-2005. ALL RIGHTS RESERVED.
PAGE 63
problem. Typically, the problem is related to how the UNIX computer is joined to the
Active Directory domain, local settings on the UNIX computer, or user settings in Active
Directory. The following procedures show how to investigate each of these potential
problem areas.
To check the status of the UNIX computer's relationship with the Active Directory
domain
1. Log on to the UNIX computer and make sure that there is network connectivity
between the UNIX computer and an Active Directory domain controller. For example,
use the ping command:
ping DomainControllerName
2. Log on to the UNIX computer as root and run adinfo. The output from this command
should be similar to the following:
Local host name: redhat9-1
Joing to domain: contoso.local
Joined as:
redhat9-1
Preferred site: Default-First-Site-Name
Zone:
contoso.local/Program
Data/Centrify/Zones/default
If the output displays an error, it is likely that the join was not done correctly. Perform
an adleave and an adjoin again and repeat the adinfo step. If there is still a
problem, there might be an issue with network connectivity or the names that were
used when the UNIX computer joined the domain.
For information about how to use adjoin, see "Understanding the adjoin command"
and "Using adjoin to join a UNIX or Linux computer to Active Directory" earlier in this
guide.
For more information about how to use adleave and adinfo, see "To check that your
deployment is stable" in "Stabilizing the Deployment" earlier in this guide.
3. If the output in step 1 does not show an error, check that the system clocks for the
UNIX computer and the Windows computer are synchronized. If they are not in sync,
reset the UNIX computer system clock using the date command. See the UNIX man
page date(1) for the appropriate syntax for your UNIX or Linux operating system.
To check the DirectControl settings on the UNIX computer
1. Log on to the UNIX computer as root.
2. Open the file /etc/centrifydc/centrifydc.conf in an editor, such as vi, and search for the
line the starts with "
pam.deny.users:
". Make sure that the user who is trying to log
on to the UNIX computer is not listed on this line. Also check to make sure the user is
not a member of a group that is restricted from logging on to the UNIX computer
based on the settings of the "
pam.deny.groups
" line.
3. If the problem still exists, check the contents of the log file /var/log/messages after
the user attempts to log on. You can use information in this file to help determine
where there might be an issue with the configuration of the software or issues with
the user's account.
To check the user's settings
1. Log on to the UNIX computer and run the command:
getent passwd
This command displays both a list of local users and UNIX-enabled Active Directory
users. Search the output for the user's name.
If the name is not found but other Active Directory users are listed, it is likely that the
user has not been added to the Zone that the UNIX computer is a member of. Log on
to a Windows computer where the DirectControl software is installed and enable the
user in the correct Zone.