Map the UNIX service account to the Active Directory user

After you create a new Active Directory user principal for the service account, the next step is to map the UNIX account to the Active Directory user.

In preparation for this step, you should notify the user community that the service account will be unavailable for a brief period of time, so that you can make the change and verify that everything works as expected. You should then stop the service and any jobs associated with the service account.

By notifying users and making the service account unavailable for a period of time, you can prevent the change from affecting people who depend on the service to do their jobs. You can then use Access Manager to select the service account and map it to an Active Directory user.

To map the service account to an Active Directory user with Access Manager:

  1. Start Access Manager.
  2. Navigate to the UNIX user account
  3. Navigate to the service account under a specific computer’s Users node or under the Local Account Users node.
  4. Select the service account, right-click, then click Map to AD User.
  5. Type all or part of the Active Directory user name, click Find Now, then select the account in the results and click OK.

    Clicking OK updates the configuration on the remote host. You could accomplish the same thing by manually editing the configuration file (centrifydc.conf) or with a group policy.

  6. Verify the service starts and executes operations as expected by switching to the root user or the service account and attempting to start the service.
  7. Check for messages in the log files that the service account writes to. The entries should be regular service startup messages. You should verify that there are no errors or authentication failure messages.

    After you verify that the service starts as expected and that any jobs it owns start successfully, you can notify users that the service is available or do additional testing. Depending on your organization and the service account you have mapped to Active Directory, developers, database owners, application owners, and others may want to do full regression testing or execute specific test cases.