Creating and managing local user passwords

After you create local user profiles as described in the preceding sections, you still need to assign a password to each user. You can create local user passwords in one of these ways:

  • By creating a shell script to execute the passwd command on each local computer, giving each local user the password that you specify in the script. The shell script can be executed manually, or by enabling adclient.local.account.notification.cli to run the script automatically when local accounts are refreshed. This is the least secure way to assign passwords to local users, because the same password is assigned to each user when the script runs. After the script runs, you must change passwords locally so that each password is unique.

    This guide does not include detailed instructions for implementing this method of creating local user passwords.

  • If your environment contains a third-party password management product, you can create a shell script that executes on each local computer, giving each local user a random password. The shell script can include a section that submits the passwords to the password management product for storage and maintenance. The shell script can be executed manually, or by enabling adclient.local.account.notification.cli to run the script automatically when local accounts are refreshed.

    A sample shell script, handle_local_accts.sh, is provided in /usr/share/centrifydc/samples/localacctmgmt for you to use as a reference when you create your own shell script. Typically, the shell script that you create should perform the following tasks:

    • Assign a random password to newly provisioned local users, and to local users whose accounts were recently unlocked (that is, re-enabled after having been disabled).
    • Optionally create a home directory for each new local user.
    • Provide the user account information, including the generated passwords, to a third-party password management solution.

    For syntax details about the notification CLI, execute the sample script with the -h option:

    handle_local_accts.sh -h
  • If your environment does not contain a third-party password management product and you want to create and maintain unique passwords for each local user, you can use Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service to manage local user passwords.

    Using Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service to manage local user passwords involves these tasks:

    • Register for Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service.
    • Download the Centrify agent for Linux software package.
    • On each UNIX and Linux computer where you will assign passwords to local users, execute the cenroll command to register the computer as a managed resource.
    • Create a shell script that executes on each local computer, giving each local user a random password. The shell script should include commands to manage generated passwords. The agent package includes a sample shell script that you can use as a reference when you create your own shell script.
    • Enable the adclient.local.account.notification.cli configuration parameter to run the shell script automatically when local accounts are refreshed.