Preparing for Agentless Authentication for NIS Clients

This section describes the activities that are specific to preparing your environment to handle agentless authentication and authorization. If you only plan to use Delinea Network Information Service (adnisd) to publish network information, such as automount mount points, netgroup membership rules, or custom maps, you can skip this chapter.

Deciding to Use Agentless Authentication

Normally, the adclient agent is installed locally on a computer to handle all account authentication and lookup requests that need to be passed to Active Directory. On computers and devices where you cannot install a Delinea Agent locally, you may be able to use the Delinea Network Information Service (adnisd) to provide agentless authentication.

With agentless authentication, computers that have older or unsupported operating systems that can be, or already are, configured as NIS clients can submit NIS requests to the Delinea Network Information Service. The Delinea Network Information Service can then check its cached Active Directory information to verify whether a user or group has valid credentials and is authorized to log on.

The following figure provides a simplified view of this environment.

Alt

In this scenario, the Delinea zone acts as the NIS domain for a group of computers or devices that are configured as NIS clients. Those clients submit requests to the Delinea Network Information Service, adnisd, listening on the NIS port.

The Delinea Network Information Service periodically contacts the adclient agent to get updated information from Active Directory and generates a set of “maps” that it stores locally. The Delinea Network Information Service can then use the information in these maps to respond to NIS client requests for authentication or other services.

The user and group “maps” are generated automatically based on the users and groups that have profiles currently enabled in the zone. Network information and custom maps can also be published for a zone, but those maps must be manually imported or created. The maps for agentless authentication only require you to add and enable a profile for each Active Directory user and group who should have access to the zone. In this way, the Delinea Network Information Service can be used to service agentless authentication requests from computers or devices where adclient itself cannot be installed.

Planning for Agentless Authentication

In planning a deployment that supports agentless authentication for NIS clients, you should keep in mind that the zone associated with the computer where adnisd is installed defines the scope of information available to the NIS clients that the adnisd process serves. Each instance of adnisd supports one and only one zone, which is equivalent to a single NIS domain. The adnisd process can only look up information for the computers, groups, and users that exist in the same zone as the local computer account, and all instances of the adnisd in the same zone respond to queries using the same information from Active Directory.

For users and groups to be available for agentless authentication, therefore, they must be enabled for the zone the Delinea Network Information Service serves. In addition, each zone that supports agentless authentication requires an Active Directory attribute for storing the password hash for UNIX-enabled users. The password hash is not created in Active Directory by default, so it must be generated then maintained using a password synchronization service installed on all of your domain controllers. The Active Directory attribute that holds the password hash must be accessible to the computers you are using as NIS servers in each zone.

If you install the Delinea Network Information Service on multiple computers, whether in the same zone or across multiple zones, all of these instances are zone-specific peers. There are no master/slave instances.

If you decide you want to use the Delinea Network Information Service to support agentless authentication, you should:

  • Identify the zones for which you want to publish information. For example, if you want user and group information broadly available to NIS clients across the network and you have a parent zone, you may want to allow agentless authentication for all of the users in that zone. If you want to strictly control which users can be authenticated to NIS clients, you may want to create a separate agentless-authentication child zone that only contains those users and their groups. For each zone that supports agentless authentication, you must specify the Active Directory attribute for storing the password hash.

  • Identify the computers that should service NIS client requests in each zone. You can designate any computer that has the Delinea Agent installed to also act as the Delinea Network Information Server in the zone. Any computer you want to use as the NIS server must have the Delinea Agent for *NIX installed and must be joined to an Active Directory domain.

  • Install a password synchronization service on all of the domain controllers in the joined domain.

  • Install and configure the Delinea Network Information Service (adnisd) on the selected computers in each zone. On the computers that will act as NIS servers in a zone, you must manually install and start the adnisd service. Alternatively, you can modify the startup script on each local computer so that the adnisd process starts whenever the local computer is rebooted. You also may want to customize the configuration parameters that control the operation of the adnisd process.

  • Configure computers and devices as NIS clients that bind to the Delinea Network Information Service on the selected computers in each zone. If any existing NIS servers are running, you will need to reconfigure the NIS clients on the network to use the computer where the Delinea Network Information Service is installed as their NIS server.

  • Import and enable the users and groups who need to be authenticated to NIS clients for the zone. You can migrate this information from existing NIS servers or local configuration files by importing passwd and group NIS maps or local /etc/passwd and /etc/group files using the Import from Unix wizard, or you can manually or programmatically create UNIX profiles for users and groups, as needed. The users and groups must have UNIX profiles stored in Active Directory and enabled for the local computer’s zone for the Delinea Network Information Service to generate the maps it needs to service agentless authentication and lookup requests from NIS clients.

  • Import and manage any additional NIS maps you want to make available to NIS clients. For example, you can import network maps such as netgroup and automount NIS maps or create custom maps using the Access Manager console.

    Importing existing NIS maps simply provides a mechanism for migrating information to the Active Directory. Once the information is stored in Active Directory, any original NIS maps you imported are no longer used. Instead, the Delinea Network Information Service uses the information stored in Active Directory to automatically generate the maps it needs to service authentication and lookup requests. This local cache of data is updated at a regular interval.

Selecting a Zone to Use for NIS Authentication

A computer’s zone is equivalent to a NIS domain for the Delinea Network Information Service. Each instance of the Delinea Network Information Service supports one and only one zone. All instances of the Delinea Network Information Service in the same zone respond to queries using the same information from Active Directory.

If user information from a zone needs to be available to NIS clients for agentless authentication, the Delinea Network Information Service must be able to access the password hash for zone users. However, because Active Directory does not generate a password hash for users by default, there’s no default attribute for storing this information.

To enable the password hash to be stored for users in a zone:

  1. Start Access Manager.

  2. In the console tree, expand the Zones node.

  3. Select the zone that will service NIS client requests, right-click, then click Properties.

    For example, if you want to work with a child zone, sanfrancisco, expand the parent zone and Child Zones nodes, select the sanfrancisco zone right-click, then click Properties.

  4. On the General tab, select the Support agentless client option.

  5. Select the Active Directory attribute to use for storing the password hash.

    Depending on the password synchronization service you are using and the Active Directory schema, select one of these attributes:

    • altSecurityIdentities if you are using the Delinea Password Synchronization program. Do not select this option if you are using a Microsoft password synchronization service.
    • msSFU30Password if you are using the Microsoft Windows Services for UNIX Password Synchronization Service. If you are using the Delinea Password Synchronization program, you can choose this attribute if you have the SFU schema installed.
    • unixUserPassword if you are using the Microsoft UNIX Identity Management Service and are using the Delinea Password Synchronization program.

  6. Verify the default NIS domain name.

    By default, the zone name is used as the NIS domain name because this makes it easy to identify the scope of the information available to NIS clients. You can type a different name in the zone properties if you choose. Whether you use the default name or another name for the NIS domain, you must use the same name when you configure the NIS clients. For more information about configuring NIS clients, see Configuring NIS clients.

  7. Click OK to save the changes and close the zone Properties.

Selecting a Computer for NIS Authentication

You can designate any computer in a zone to act as the NIS server for the zone by setting the Allow this computer to authenticate NIS users computer property as described in “Adding Support for Agentless Clients” in the Administrator’s Guide for Linux and UNIX. For example, expand the Computers node in the zone that will service NIS client requests, select the computer account, right-click to select Properties, then click the Delinea Profile tab to set this option.

The computer account acting as a NIS server for the zone must be able to access the attribute containing the password hash for agentless authentication to be successful.

Selecting Allow this computer to authenticate NIS users adds the computer account to thezone_nis_servers Active Directory group. Computer accounts that are placed in the zone_nis_servers group are automatically granted permission to read the attribute that stores the password hash for users in the zone.

This property setting enables the computer account to access the password hash so that it can authenticate users in response to NIS client requests. However, you must manually install and start the Delinea Network Information Service on the physical computer before the computer can act as a NIS server.

Configuring a Password Synchronization Service

The Delinea Network Information Service must be able to retrieve the current password hash for zone users in order for it to respond to agentless authentication requests from NIS clients. Active Directory, however, does not generate a password hash for users by default. This task is handled by the password synchronization service.Therefore, to generate the password hash for zone users, you first need to install a password synchronization service.

You can install the password synchronization service with the Server Suite or separately using a standalone setup program. Once deployed, it ensures the passwords served by the Delinea Network Information Service are always up-to-date. With a password synchronization service, any time users change their Active Directory password, the corresponding password hash in their user profile is updated to reflect the change. Depending on your environment, you can choose to install one of the following:

  • Delinea Password Synchronization program
  • Microsoft Windows Services for UNIX Password Synchronization Service
  • Microsoft Windows UNIX Identity Management Service
Regardless of the password synchronization service you choose to use, the service must be installed on all domain controllers in the Active Directory domain where you are enabling agentless authentication.

Using Delinea Password Synchronization

You can install the Delinea Password Synchronization program using the Server Suite setup program. Alternatively, you can install Delinea Password Synchronization independent of the the Server Suite using it own setup program. If you install the Delinea Password Synchronization program using the setup program, you can skip this section.

To install the Delinea Password Synchronization program:

  1. Copy the CentrifyDC_PasswordSync-n.n.n-win64 package to your Active Directory domain controller.

  2. Open the CentrifyDC_PasswordSync-n.n.n-win64 executable or Microsoft software installation (.msi) file to start the setup program.

    You can run the setup program interactively or silently if you use the Microsoft software installation (.msi) file. If you are installing silently using the msiexec program, you can skip the steps in this section.

  3. At the Welcome page, click Next.

  4. Review the terms of the license agreement. If you accept the license agreement, select I accept the terms of the license agreement, then click Next.

  5. Type your name and company, select who should be able to use this application on the computer, then click Next.

  6. Select a restart option, then click Finish.

Once installed, the Delinea Password Synchronization program will generate the initial password hash when users next change their password, then update the password hash at each password change thereafter. The password hashes are created using DES encryption with a two character salt. If the password hash is stored in the altSecurityIdentities attribute, it has a prefix of cdcPasswordHash, for example:

cdcPasswordHash:VkievQ69VhYKc

If the password hash is stored in one of the other supported attributes, it is stored without a prefix.

When a user changes his Active Directory password, the Delinea Password Synchronization program discovers the zones to which that user has access and updates the appropriate attribute that holds the password hash for that user in each zone.

The initial password hash is only generated when the user changes his password. You may want to force users to change their password at the next logon to get the password set at the earliest opportunity. Client authentication requests may fail for users who do not have a password hash available. If the password hash field in the passwd.byname or passwd.byuid map displays a single exclamation point (!), it indicates that the user’s password hash has not been set.

Using Microsoft Password Synchronization Service

If you choose to use one of the password synchronization services provided by Microsoft instead of the Delinea Password Synchronization program, follow the instructions provided with the software to install the service. In general, you need to do the following to use the Microsoft password synchronization services:

  • Set the Windows domain to the domain you joined after installing the Delinea Agent for *NIX.

  • Set the NIS domain name to the zone name you specified when you joined the domain. For example, if you are using the default zone, set the NIS domain to default. Although you can set the NIS domain name to something other than the zone name when creating or modifying a zone’s properties, you must use the zone name for this setting if you use Microsoft password synchronization.

  • Set the NIS Server name to the host name of the computer running both the adclient and adnisd services.

  • Give user accounts access to the zone and NIS domain. If you are using the Microsoft Windows Services for UNIX, select the zone name from the list of NIS domains on the UNIX Attributes tab.

    The rest of the fields on the UNIX Attributes tab are not used by Server Suite, but you are required to enter information for these fields to enable the NIS domain for the user. Therefore, you should specify a UID, Login shell, Home directory, and Primary group for the user account, then click OK.

Locating Zones for Password Synchronization

Only Active Directory users with a UNIX profile created using the Access Manager console include the attribute (parentLink) needed to look up their zone information for password synchronization. You can use the Orphan Unix data objects option in the Analyze Wizard to check the forest for accounts missing this attribute setting and attempt to correct the problem.

If the Analysis Results display a Warning for the Orphan Unix data objects check, you can right-click, then select Properties to view additional details. If the profile is missing the parentLink attribute, select the warning, right-click, then select Populate parentLink attribute to define this attribute for the user.

For more information about troubleshooting issues for the Delinea Network Information Service, see Troubleshooting and Logging NIS Operations. For more information about using the Analyze wizard in the Access Manager console, see “Analyzing information in Active Directory” in the Administrator’s Guide for Linux and UNIX.