Configuring UNIX local account password reconciliation

You can reset out-of-sync managed local Unix account passwords stored in Privileged Access Service using the following methods:

  • Centrify Client for Linux
  • Centrify Connector (uses the Local Administrative Account configured in the Admin Portal)

When a password change operation of an account fails, Centrify PAS retries the change operation periodically. If Local Account Reconciliation is enabled on the system, then the Centrify PAS also reconciles the password as part of the password change operation. A password reset of local managed accounts is initiated if an out-of-sync password is detected during account login, account checkout, and rotate operations.

All events are logged and can be viewed in the Admin Portal Resources > Systems > Activity page. You can also build custom reports to view activity, see How to create a new report.

Note:   If you configure password reconciliation using both the Centrify Client for Linux and a local Administrative Account, Centrify PAS attempts to use the Centrify Client for Linux method first. If Centrify PAS encounters a connection issue using the Centrify Client, it will then use the local Administrative Account to reconcile the out-of-sync password.

For information on configuring password reconciliation, see the following instructions:

Method Used: Use the following instructions:
Centrify Client for Linux Password reconciliation using the Centrify Client for Linux
Centrify Connector (uses the Local Administrative Account) Password reconciliation using a local Administrative Account
Both (CentrifyClient for Linux and Local Administrative Account )

Password reconciliation using the Centrify Client for Linux

Password reconciliation using a local Administrative Account

Password reconciliation using the Centrify Client for Linux

See the following procedures to enable password reconciliation on Unix systems that have the Centrify Client for Linux installed. Before you configure local account password reconciliation for Unix systems, make sure the following requirements have been met:

  • Version 20.3 or newer of the Centrify Client for Linux must be installed on the Unix system.
  • Local and service user accounts that are allowed to access the stored and managed account passwords have the Agent Auth permission

For Centrify Client for Linux installation information, see Enrolling and managing computers using Centrify Clients for Linux.

To configure password reconciliation on Unix systems with the Centrify Client installed:

  1. In the Admin Portal, click Resources > Systems and then select the system where you want to enable password reconciliation.

  2. Make sure the system has version 20.3 or later of the Centrify Client for Linux installed.

    To determine client version installed on the system, check the Resources > Systems > Client Profile page. If the system does not have the client installed, the message Centrify Client not installed is displayed.

  3. Once you verify that the system has the Centrify Client for Linux installed, click the Advanced page.
  4. Check the box next to Local Account Automatic Maintenance, to enable the policy to automatically manage the passwords for local system accounts.

    Note:   You do not need to set a local administrative account (Account Reconciliation > Local Administrative Account) for systems that have the Centrify Client for Linux installed. If you do configure the local administrative account, Centrify PAS will only use the local Administrative Account to reconcile the out-of-sync password if it encounters a connection issue using the Centrify Client. See Password reconciliation using a local Administrative Account for configuration details.

Password reconciliation using a local Administrative Account

Before you configure local account password reconciliation for Unix systems, make sure the following requirements have been met:

  • Your tenant must have a live Centrify Connector configured and be version 20.1 or newer.
  • You must know the password of the account you are storing as a local Administrative Account.
  • The user to be configured as the Administrative Account needs to be a root user or a user with sudo privileges to run the passwd command.
  • Both the Administrative Account and the user account that requires a password change are required to use a password and not an SSH key.

The Privileged Access Service cannot reconcile local Administrative Account passwords that are out of sync. If the local Administrative Account encounters an issue, operations using the local Administrative Account will fail. See the account Activity page for error details.

To configure password reconciliation on Unix systems using a local Administrative Account:

Note:   The user logged in to the Admin Portal must have the Edit permission for the system in order to configure the settings described in the following procedure.

  1. If the system already exists in the Admin Portal, click Resources > Systems to display a list of systems.

    Discovered systems, synced systems (with an active connector) and manually added systems are displayed.

    Note:   If you are adding a new Unix system, you can add a local Administrative Account as part of the Add System process, see Using the wizard to add systems .

  2. Select the system where you want to add an Administrative Account, and then click the Advanced page.
  3. In Account Reconciliation > Local Administrative Account, click Set.
  4. In the Select Account text box start typing the name of the account you want to be the local Administrator Account and then click Select.

    You can alternatively set up an Administrative Account for a Unix system in the Systems > Account page. Click Resources > Systems and select the system where you want to add an Administrative Account. Select the Accounts page and then select the account you want to be the local Administrative Account. Selecting an account activates the Actions menu. From the Actions menu, select Set as Admin Account.

  5. In the Advanced page, check the box next to Local Account Automatic Maintenance, to enable the policy to automatically manage the passwords for local system accounts.

To clear a local Administrative Account

  1. In the Admin Portal, click Resources > Systems to display a list of systems.

  2. Select the system where you want to clear the Administrative Account.
  3. In the Accounts page, check the box next to the Administrative Account you want to clear.

    Selecting an account activates the Actions menu.

  4. From the Actions menu, select Clear as Admin Account.

    You can also clear the Administrative Account from the Resources > Systems > Advanced page.