Planning for agentless authentication

In planning a deployment that supports agentless authentication for NIS clients, you should keep in mind that the zone associated with the computer where adnisd is installed defines the scope of information available to the NIS clients that the adnisd process serves. Each instance of adnisd supports one and only one zone, which is equivalent to a single NIS domain. The adnisd process can only look up information for the computers, groups, and users that exist in the same zone as the local computer account, and all instances of the adnisd in the same zone respond to queries using the same information from Active Directory.

For users and groups to be available for agentless authentication, therefore, they must be enabled for the zone the Centrify Network Information Service serves. In addition, each zone that supports agentless authentication requires an Active Directory attribute for storing the password hash for UNIX-enabled users. The password hash is not created in Active Directory by default, so it must be generated then maintained using a password synchronization service installed on all of your domain controllers. The Active Directory attribute that holds the password hash must be accessible to the computers you are using as NIS servers in each zone.

Note:   If you install the Centrify Network Information Service on multiple computers, whether in the same zone or across multiple zones, all of these instances are zone-specific peers. There are no master/slave instances.

If you decide you want to use the Centrify Network Information Service to support agentless authentication, you should:

  • Identify the zones for which you want to publish information. For example, if you want user and group information broadly available to NIS clients across the network and you have a parent zone, you may want to allow agentless authentication for all of the users in that zone. If you want to strictly control which users can be authenticated to NIS clients, you may want to create a separate agentless‑authentication child zone that only contains those users and their groups. For each zone that supports agentless authentication, you must specify the Active Directory attribute for storing the password hash.
  • Identify the computers that should service NIS client requests in each zone. You can designate any computer that has the Centrify agent installed to also act as the Centrify Network Information Server in the zone. Any computer you want to use as the NIS server must have the Centrify UNIX agent installed and must be joined to an Active Directory domain.
  • Install a password synchronization service on all of the domain controllers in the joined domain.
  • Install and configure the Centrify Network Information Service (adnisd) on the selected computers in each zone. On the computers that will act as NIS servers in a zone, you must manually install and start the adnisd service. Alternatively, you can modify the startup script on each local computer so that the adnisd process starts whenever the local computer is rebooted. You also may want to customize the configuration parameters that control the operation of the adnisd process.
  • Configure computers and devices as NIS clients that bind to the Centrify Network Information Service on the selected computers in each zone. If any existing NIS servers are running, you will need to reconfigure the NIS clients on the network to use the computer where the Centrify Network Information Service is installed as their NIS server.
  • Import and enable the users and groups who need to be authenticated to NIS clients for the zone. You can migrate this information from existing NIS servers or local configuration files by importing passwd and group NIS maps or local /etc/passwd and /etc/group files using the Import from Unix wizard, or you can manually or programmatically create UNIX profiles for users and groups, as needed. The users and groups must have UNIX profiles stored in Active Directory and enabled for the local computer’s zone for the Centrify Network Information Service to generate the maps it needs to service agentless authentication and lookup requests from NIS clients.
  • Import and manage any additional NIS maps you want to make available to NIS clients. For example, you can import network maps such as netgroup and automount NIS maps or create custom maps using the Access Manager console.

Note:   Importing existing NIS maps simply provides a mechanism for migrating information to the Active Directory. Once the information is stored in Active Directory, any original NIS maps you imported are no longer used. Instead, the Centrify Network Information Service uses the information stored in Active Directory to automatically generate the maps it needs to service authentication and lookup requests. This local cache of data is updated at a regular interval.