× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

A better way to manage local accounts with the Centrify Identity Platform

A better way to manage local accounts with the Centrify Identity Platform

By Centrify Contributor II ‎03-28-2017 08:08 AM

So you're already managing user accounts in Active Directory - but what about those pesky system accounts you're still managing in /etc/passwd?  Wouldn't it be great to manage them with Centrify too?  In this article we'll demonstrate how to securely manage local accounts using a combination of Centrify Server Suite and Centrify Privilege Service.  

 

Prerequisites 

1. Centrify Server Suite - You will need Centrify Server Suite (2016 or later) deployed in your environment for the Local Account Provisioning feature.

2. Centrify Privilege Service - to be used for the secure storge of the local account password.  

2b.  You will also need a Centrify Connector running somewhere in your environment to facilitate communications between the Linux server and Centrify Privilege Service.

3.  We will also leverage the Centrify Privilege Service CLI toolkit which is packaged with the CPS Linux Agent to set the password programmatically.  (You can obtain this by logging into CPS, Setting --> Centrify Agent)

 

Step 1 - Create the Local Account 

Lets create the local account quickly and easily using Centrify Server Suite.  Open Centrify Access Manager and create the local account by expanding the zone, expanding "UNIX Data" and selecting Local Users.  Right click and "Add User to Zone".  Fill in the local account details.  (Note:  You may wish to create a local group before creating the local user).

 

blog1.png

(Tip:  See a more detailed explanation of this process by Centrify Professional Services All-Star tchariya here.) 

 

Step 2 - Secure the Password 

We will leverage the Centrify Privilege Service CLI toolkit to secure the local account password. 

 

First, log into the target resource and verify the local accout has been created: 

blog2.png

(Tip:  Run adflush to get the account to populate if you had just created it in Access Manager).

 

Secure the password in Centrify Privilege Service using the csetaccount CLI command with the following parameters to generate a random managed password for the account testlocal2:

dzdo csetaccount -P -m testlocal2

 

Finally, go into Centrify Privilege Service and verify the account has been added.  (Resources --> Servername --> Accounts)

blog3.png

(Note:  Don't forget to edit the permissions on the newly added account to allow other Centrify Privilege Service users to interact with the account (e.g. request access to the account, check out the password, or log in remotely).

 

As an example, here is the password that was securely generated for the account.  

blog_password2.png

  

The password can be retrieved from the Centrify Privilege Service web interface or programmatically from the UNIX/Linux commandline using the command cgetaccount, like in this example shell script which places it in a variable.  This is a good way to avoid using cleartext passwords in scripts.  

#!/bin/bash
PASSWORD=$(dzdo /usr/sbin/cgetaccount --silent engcen6.centrify.vms/testlocal2)

(Note: There are additional examples of this provided with the Centrify Privilege Service Linux Agent - look in the /usr/share/centrifycc/samples/apppassword/ directory).

 

The process described in this article can be automated!  There is a sample script provided with the CPS Linux Agent that illustrates how to automatically set random passwords and create home directories for new local accounts, how to set random passwords for newly unlocked local users, and to display users that were removed/locked.  (The script can be found in /usr/share/centrifycc/samples/localacctmgmt/). 

 

And there you have it, a better way to manage local accounts securely using the Centrify Identity Platform!

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel