Selecting a zone to use for NIS authentication

A computer’s zone is equivalent to a NIS domain for the Centrify Network Information Service. Each instance of the Centrify Network Information Service supports one and only one zone. All instances of the Centrify Network Information Service in the same zone respond to queries using the same information from Active Directory.

If user information from a zone needs to be available to NIS clients for agentless authentication, the Centrify Network Information Service must be able to access the password hash for zone users. However, because Active Directory does not generate a password hash for users by default, there’s no default attribute for storing this information.

To enable the password hash to be stored for users in a zone:

  1. Start Access Manager.
  2. In the console tree, expand the Zones node.

  3. Select the zone that will service NIS client requests, right-click, then click Properties.

    For example, if you want to work with a child zone, sanfrancisco, expand the parent zone and Child Zones nodes, select the sanfrancisco zone right-click, then click Properties.

  4. On the General tab, select the Support agentless client option.

  5. Select the Active Directory attribute to use for storing the password hash.

    Depending on the password synchronization service you are using and the Active Directory schema, select one of these attributes:

    • altSecurityIdentities if you are using the Centrify Password Synchronization program. Do not select this option if you are using a Microsoft password synchronization service.
    • msSFU30Password if you are using the Microsoft Windows Services for UNIX Password Synchronization Service. If you are using the Centrify Password Synchronization program, you can choose this attribute if you have the SFU schema installed.
    • unixUserPassword if you are using the Microsoft UNIX Identity Management Service and are using the Centrify Password Synchronization program.

  6. Verify the default NIS domain name.

    By default, the zone name is used as the NIS domain name because this makes it easy to identify the scope of the information available to NIS clients. You can type a different name in the zone properties if you choose. Whether you use the default name or another name for the NIS domain, you must use the same name when you configure the NIS clients. For more information about configuring NIS clients, see Configuring NIS clients.

  7. Click OK to save the changes and close the zone Properties.