What happens during the typical log-on process

The core Centrify UNIX agent components work together to identify and authenticate the user any time a user logs on to a computer using any UNIX command that requires the user to enter credentials. The following steps summarize the interaction to help you understand the process for a typical log on request. The process is similar, though not identical, for UNIX commands that need to get information about the current user or group.

Note:   The following steps focus on the operation of the agent rather than the interaction between the agent and Active Directory. In addition, these steps are intended to provide a general understanding of the operations performed through the agent and do not provide a detailed analysis of a typical log on session.

When a user starts the UNIX computer, the following takes place:

  1. A login process starts and prompts the user to supply a user name.
  2. The user responds by entering a valid local or Active Directory user name.
  3. The login process, which is a PAM-enabled program, then reads the PAM configuration file, /etc/pam.conf, and determines that it should use the Centrify PAM service, pam_centrifydc, for identification.
  4. The login process passes the login request and the user name to the Centrify PAM service for processing.
  5. The pam_centrifydc service checks the pam.allow.override parameter in the Centrify agent configuration file to see if the user name entered is an account that should be authenticated locally.

    • If the user should be authenticated locally, the pam_centrifydc service passes the login request to the next PAM module specified in the PAM configuration file, for example, to the local configuration file /etc/passwd.
    • If the user is not listed as an override account, the pam_centrifydc service continues with the login request and checks to see if the adclient process is running, then passes the login request and user name to adclient.
  6. The adclient process connects to Active Directory and queries the Active Directory domain controller to determine whether the user name included in the request is a user who has access to computers in the current computer’s zone.

    • If the adclient process is unable to connect to Active Directory, it queries the local cache to determine whether the user name has been successfully authenticated before.
    • If the user account does not have access to computers in the current zone or can’t be found in Active Directory or the local cache, the adclient process checks the Centrify agent configuration file to see if the user name is mapped to a different Active Directory user account with the adclient.mapuser.username parameter.
    • If the user name is mapped to another Active Directory account in the configuration file, the adclient process queries the Active Directory domain controller or local cache to determine whether the mapped user name has access to computers in the current computer’s zone.
  7. If the user has a UNIX profile for the current zone, the adclient process receives the zone-specific information for the user, such as the user’s UID, the user’s local UNIX name, the user’s global Active Directory user name, the groups of which the user is a member, the user’s home directory, and the user’s default shell.
  8. The adclient process checks for NSS override settings (nss.group.override and nss.user.override) to determine whether there are any changes to the user profile or additional restrictions that should override the profile retrieved or prevent the user from logging on.
  9. The adclient process queries through the nss_centrifydc service to determine whether there’s another user currently logged in with same UID.

    • If there is a potential conflict between local user account and the UNIX profile for an Active Directory account, the adclient process notifies the pam_centrifydc service of the potential conflict.
    • The pam_centrifydc service checks the Centrify agent configuration file to determine to issue a warning, ignore the conflict, or prevent the user from logging on.
    • If the login continues, the pam_centrifydc service asks the login process for a password.
  10. The login process prompts the user to provide a password and returns the password entered to the pam_centrifydc service.
  11. The pam_centrifydc service checks the pam.allow.users and pam.deny.users parameters in the Centrify agent configuration file to see if any user filtering has been specified to allow or deny access to specific user accounts. If any user filtering has been specified, the current user is either allowed to continue with the login process or denied access.
  12. The pam_centrifydc service checks the pam.allow.groups and pam.deny.groups parameters in the agent configuration file to see if any group filtering has been specified to allow or deny access to members of specific groups. If any group filtering has been specified, the current user is either allowed to continue with the login process or denied access based on group membership.
  13. If the current user account is not prevented from logging on by user or group filtering, the pam_centrifydc service queries the adclient process to see if the user is authorized to log on.
  14. The adclient process queries the Active Directory domain controller through Kerberos to determine whether the user is authorized to log on to the current computer at the current time.
  15. The adclient process receives the results of its authorization request from Active Directory and passes the reply to the pam_centrifydc service.
  16. The pam_centrifydc service does one of the following depending on the content of the authorization reply:

    • If the user is not authorized to use the current computer or to log in at the current time, the pam_centrifydc service denies the user’s request to log on through the UNIX login process.
    • If the user’s password has expired, the pam_centrifydc service sends a request through the UNIX login process asking the user to change the password. After the user supplies the password, the login process completes successfully.
    • If the user’s password is about to expire, the pam_centrifydc service notifies the user of impending expiration through the login process.
    • If the user is authorized to log on and has a current password, the login process completes successfully. If this is the first time the user has logged on to the computer through the Centrify agent, the pam_centrifydc service creates a new home directory on the computer in the location specified in the agent configuration file by the parameter pam.homeskel.dir.

The following figure provides a simplified view of a typical log-on process when using the Centrify agent.