Supplemental Installation Notes
This document includes various notes about installing Server Suite on different operating system platforms.
Verifying the DNS Configuration on Linux
The Server Suite Authentication Service (DirectControl) uses DNS to locate domain controllers for the Active Directory forest. To verify the Active Directory domain controller can be located through DNS, try sending a ping request to the computer.
You can also run the adinfo --diag command to attempt to read the DNS records for the domain you want to join. For example:
adinfo --diag domain_name
If DNS is properly configured, the command should display the LDAP URLs for the domain controllers in the domain you want to join.
For more detailed information about configuring DNS or troubleshooting your DNS configuration, see the Administrator’s Guide for Linux and UNIX.
Joining the Domain (Zoned Mode Only)
To join an Active Directory domain manually:
-
On the Linux computer, log in as or switch to the root user.
-
Run adjoin to join an existing Active Directory domain using a fully-qualified domain name.
adjoin --zone <zone_name> --user <user_name><domain_name>
The user account you specify must have permission to add computers to the specified domain and zone. If you don't specify a user name, the Administrator account is used by default.
-
Type the password for the specified user account.
If the authentication service can connect to Active Directory and join the domain, a confirmation message is displayed. You can now enable existing Active Directory groups and users to work with this Unix computer.
For more information about the options you can specify when joining a domain, see the man page for the adjoin command or the Administrator’s Guide for Linux and UNIX.
To step through common tasks and test scenarios, see the Evaluation Guide for Linux and UNIX.
Joining the Domain (Express mode)
To join an Active Directory domain manually:
-
On the UNIX computer, log in as or switch to the root user.
-
Run adjoin to join an existing Active Directory domain using a fully-qualified domain name.
adjoin --workstation --user <user_name> <domain_name>
The user account you specify must have permission to add computers to the specified domain. If you don't specify a user name, the Administrator account is used by default.
-
Type the password for the specified user account.
If the authentication service can connect to Active Directory and join the domain, a confirmation message is displayed.
For more information about the options you can specify when joining a domain, see the man page for the adjoin command or the Administrator’s Guide for Linux and UNIX.
HPUX Installation Notes
This section describes the unique characteristics or known limitations that are specific to using authentication service on a computer with the HP-UX operating environment.
ia64 - Mapping Local HP-UX User Accounts to Active Directory Accounts
In most environments, you can map local user accounts to Active Directory accounts to manage the passwords for local users using your Active Directory password policies. On HP-UX, however, if an account is a valid Active Directory account but the authentication through Active Directory fails, the PAM module will attempt to authenticate the account locally and will allow the account to log on if the local authentication succeeds. Because users can still log on to HP-UX systems using their local account password, you cannot effectively use Active Directory or the User Map group policy to enforce your password policies for local HP-UX user accounts.
To enforce Active Directory password policies for local HP-UX users, you need to disable the local user accounts to prevent those local account names and passwords from being used to log on.
Entering an Incorrect Password on HP-UX
On HP-UX, if Server Suite-enabled users enter an incorrect password, they are normally prompted with a second "System password" prompt. This prompt is asking for a password for a local user, regardless of whether that user actually exists locally on the system. If the user exists locally, this prompt allows the user to log in using the local password. If the user does not exist locally, this prompt is unnecessary and will not allow the authentication service-enabled user to log in, regardless of the password entered.
This second prompt can be avoided by changing the options in /etc/pam.conf to the authentication modules. Two changes are necessary:
-
Add an option to the authentication service PAM module to prompt all users for a password (not just Active Directory users)
-
Add an option to the HP-UX UNIX login module to use the password obtained by the authentication service module.
The lines which need to be modified appear like this in the file:
service_name auth sufficient /usr/lib/security/libpam_centrifydc.1 debug
service_name auth required /usr/lib/security/libpam_unix.1
Where service_name is something like login, dtlogin, ftp, or similar. The pam_centrifydc.1 line needs the ask flag to prompt all users for passwords. The libpam_unix.1 line needs the use_first_pass option. For example:
login auth sufficient /usr/lib/security/libpam_centrifydc.1 debug ask
login auth required /usr/lib/security/libpam_unix.1 use_first_pass
It is extremely important that the pam_centrifydc line appear before the pam_unix line in the file, or users will never be prompted for a password. Administrators should be extremely careful when editing this file. Any typographically errors in this file could prevent all users from logging on to the system and render the system unusable.
AIX Installation Notes
Support for AIX Capabilities Attribute
Support has been added for the AIX Capabilities user attribute, a feature that is only available on AIX 5.3 and later. To enable the feature, edit /etc/centrifydc/centrifydc.conf to add the following line:
lam.method.version: 520
This allows using methods that are only available with AIX 5.3 and later, and these methods are required to support the Capabilities attribute.
Use adquery to view capabilities for an Active Directory user:
adquery user -X aix.capabilities <ADuser>
Use adupdate to set capabilities for an Active Directory user:
adupdate modify user -X +aix.capabilities=CAPABILITIES <ADuser>
Where CAPABILITIES is a comma-separated list of capabilities to add for the user. For example:
CAP_NUMA_ATTACH, CAP_BYPASS_RAC_VMM, CAP_PROPOGATE
Currently there is no group policy support for capabilities, this may be implemented in a future release of authentication service.
Users Cannot Log in by way of FTP if They Have a Restricted Shell
On AIX 6.1, a user's login shell must appear in the shells attribute of the /etc/security/login.cfg file. Delinea Privilege Elevation Service does not add dzsh to this attribute so by default an ftp user who is using dzsh as their login shell cannot log in. To workaround this issue, add /usr/bin/dzsh to the shells attribute of /etc/security/login.cfg.
Starting and Stopping DirectControl on AIX
Because the authentication service daemon, adclient, is defined as an AIX system resource, you use the following commands to start, stop, and check the status of the daemon:
startsrc -s centrifydc
stopsrc -s centrifydc
lssrc -s centrifydc
Using the Server Suite Authentication Service LDAP Proxy on AIX
When using the LDAP Proxy on AIX you need the following line in the slapd configuration file at
/usr/share/centrifydc/etc/openldap/ldapproxy.slapd.conf
moduleload /usr/share/centrifydc/libexec/openldap/libback_centrifydc.a(libback_centrifydc.so.0)
Setting the DNS Configuration Parameter to Join the Domain on SuSE Linux
To successfully join a Active Directory domain on computers running SuSE Linux, you must set the mdns option to off in the /etc/host.conf file. If your /etc/host.conf file does not include the following line, you should add it to the file:
mdns off
This setting is required to enable proper DNS resolution, and therefore, must be set to successfully join the domain, and to allow users to log on properly.
