Configuring UNIX local account reconciliation

You can reset out-of-sync managed local UNIX and Linux account passwords stored in Privileged Access Service using the following methods:

  • Centrify Client for Linux
  • Local administrative account

  • Provisioning administrative account

If desired, you can configure local account reconciliation to use the client and then use either the local or domain administrative account as a backup method. If you do that, be sure to follow the procedures for both configurations.

When a password change operation of an account fails, Centrify PAS retries the change operation periodically. If Local Account Reconciliation is enabled on the system, then Centrify PAS also reconciles the password as part of the password change operation. A password reset of local managed accounts is initiated if an out-of-sync password is detected during account login, account checkout, and rotate operations.

All events are logged and can be viewed in the Admin Portal Resources > Systems > Activity page. You can also build custom reports to view activity, see How to create a new report.

Note:   If you configure password reconciliation using both the client and a local administrative account, Centrify PAS attempts to use the client method first. If Centrify PAS encounters a connection issue using the client, it will then use the local administrative account to reconcile the out-of-sync password.

This topic includes the following sections:

 

Configuring a system to use the Centrify Client for Linux for account reconciliation

Before you configure local account password reconciliation for Linux systems using the Centrify Client for Linux, make sure that the local and service user accounts that are allowed to access the stored and managed account passwords have the Agent Auth permission.

For installation information, see Enrolling and managing computers using the Centrify Client for Linux.

To configure local account password reconciliation on systems with the Centrify Client for Linux installed:

  1. In the Admin Portal, navigate to Resources > Systems and then select the system where you want to enable password reconciliation.

  2. Click Client Profile to view the client details and make sure that the system has the client installed and enrolled.

  3. Click Advanced and in the Account Reconciliation Settings area, select Yes next to Local Account Automatic Maintenance, to enable the policy to automatically manage the passwords for local system accounts.

    Note:   You do not need to set a local administrative account (Account Reconciliation > Local Administrative Account) for systems that have the Centrify Client for Linux installed. If you do configure the local administrative account, Centrify PAS will only use the local administrative account to reconcile the out-of-sync password if it encounters a connection issue using the client. See Configuring a system to use a local administrator for local UNIX account reconciliation for configuration details.

  4. Click Save.

Configuring a system to use a local administrator for local UNIX account reconciliation

Before you configure local account password reconciliation for UNIX systems, make sure the following requirements have been met:

  • You must know the password of the account you are storing as a local administrative account.
  • The user to be configured as the administrative account needs to be a root user or a user with sudo privileges to run the passwd command.
  • Both the administrator account and the user account that requires a password change are required to use a password and not an SSH key.
  • There must be a connector that can connect to this UNIX system.
  • Your account must have the Edit permission for the system in order to configure the settings in the following procedure.

The Privileged Access Service can manage local administrative accounts but cannot reconcile local administrative account passwords that are out of sync. If the local administrator account encounters an issue, operations using the local administrative account will fail. See the account Activity page for error details.

To configure local account password reconciliation on UNIX systems using a local administrative account:

  1. If the system already exists in the Admin Portal, click Resources > Systems to display a list of systems.

    Discovered systems, synced systems (with an active connector) and manually added systems are displayed.

    Note:   If you are adding a new UNIX system, you can add a local administrator account as part of the Add System process, see Using the wizard to add systems .

  2. Select the system where you want to add an administrative account, and then click the Advanced page.

  3. Specify which account to use as the local administrative account:

    • In the Administrative Account Settings area, next to Local Administrative Account, click Set. Then, in the Select Account text box start typing the name of the account you want to be the local administrator account and then click Select.

      Note:   The Provision button next to Local Administrative Account works if you've configured a Provisioning Administrative Account. For details, see Configuring a domain with a provisioning administrative account for local UNIX account reconciliation.

    • You can alternatively set up an administrative account for a UNIX system in the Systems > Account page. Click Resources > Systems and select the system where you want to add an administrative account. Select the Accounts page and then select the account you want to be the local administrative account. Selecting an account activates the Actions menu. From the Actions menu, select Set as Admin Account.

  4. After specifying a local administrative account, in the Account Reconciliation Settings area, for the Local Account Automatic Maintenance, select Yes to to manage the passwords automatically for local system accounts.

  5. Click Save.

    Centrify PAS will now use the specified local administrative account to manage passwords for local accounts on this system.

 

To clear a local administrative account

  1. In the Admin Portal, click Resources > Systems to display a list of systems.

  2. Select the desired system.
  3. In the Accounts page, check the box next to the administrative account you want to clear.

    Selecting an account activates the Actions menu.

  4. From the Actions menu, select Clear as Admin Account.

    You can also clear the administrative account from the Resources > Systems > Advanced page.

Configuring a domain with a provisioning administrative account for local UNIX account reconciliation

As a more secure alternative to using a domain administrative account, you can configure a provisioning administrative account to handle the local account password reconciliation on UNIX systems. The provisioning administrative account is a managed account that creates a local administrative service account (called the reconciliation account) that handles the password reconciliation on UNIX systems. Directly after creating the reconciliation account, the service rotates the password of the provisioning administrative account.

Centrify PAS performs all password rotations on the affected systems using the reconciliation account. If the password change fails because the password is out of sync, an event is created, and a hard password reset is done. Local account password reconciliation (LAPR) is only available for managed local accounts on domain-joined UNIX systems.

Note:   The Management Mode and Proxy settings configured for a system (located in Admin Portal > Resources > Systems > Settings) do not apply if local account password reconciliation is enabled. For management mode, the system defaults to SMB when password reconciliation is configured. If reconciliation is not enabled for a system using the Centrify Connector, then management mode and proxy account settings are used for managed accounts.

Here are the prerequisites for configuring a provisioning administrative account for a UNIX system:

  • The UNIX system need to be joined to a domain

  • A connector needs to be able to reach the UNIX system

  • The account you want to specify as a provisioning administrative account must:

    • Be a managed account (in the Domain > Accounts list)

    • Have sudo permission to run sh and to create the reconciliation account and grant it with sudo permissions

After the provisioning administrative account creates the local reconciliation account, Centrify PAS rotates the provisioning administrative account password automatically.

Here are some things to know about the reconciliation account:

  • Centrify PAS creates the account on the UNIX system and the account has the name specified in the Reconciliation Account Name field.

  • The reconciliation account is a local administrative account on the UNIX system.

  • Centrify PAS manages the password for the reconciliation account.

  • The reconciliation account does not appear in the list of system accounts. Centrify PAS lists the account in the Local Service Accounts set, which you can either see on the system's Advanced page or by going to Resources > Accounts > Sets.

  • If you delete the reconciliation account in Centrify PAS, the service also removes the account from the UNIX system (unless the delete prompt explicitly states otherwise).

You first configure settings on the domain, and then on the individual system.

To configure a provisioning account on the domain for local account password reconciliation

Note:   The user logged in to the Admin Portal must have the Edit permission for the domain to configure the account reconciliation settings described in this procedure.

  1. In the Admin Portal, click Resources >Domains to display a list of domains.
  2. Select the domain and then click the Advanced page.

  3. In the UNIX/Linux Local Accounts area, for the Provisioning Administrative Account, click Set.

    The Select Account dialog opens.

  4. Search for and select the desired account, then click Select.

    The specified account now is added as the Provisioning Administrative Account.

  5. In the Reconciliation Account Name field, enter the name that you want the account to appear as in the UNIX systems.

  6. Click Save.

    The Provisioning Administrative Account will now display for UNIX systems.

To provision a local administrative account on a UNIX system for local account password reconciliation

Note:   The user logged in to the Admin Portal must have the Grant and View permission for the associated domain and the Edit permission for the system in order to configure the settings described in the following procedure.

  1. Make sure the UNIX system where you are configuring password reconciliation is domain-joined.

  2. In the Admin Portal, click Resources > Systems to display a list of systems.

  3. Select the desired system and then click the Advanced page.

  4. In the Administrative Account Settings area, next to Local Administrative Account, click Provision.

    The service creates a local administrative account with the reconciliation account name that you specified on the domain.

    Tip:     You can also provision the local administrative account from the Advanced page by opening the Action menu and selecting Provision Local Administrative Account.

  5. Under Account Reconciliation Settings, change the Local Account Automatic Maintenance setting to Yes.

  6. Click Save.