What you'll need
- Commercial users: All it is required to follow along is a Centrify zone and access manager with at least one role to be assigned for the users.
Ideally the users to be imported will already exist in AD or you have the ability to create the accounts.
- Express users: All you need to do is use the command line tools adfixid and adrmlocal since Express provides a fixed scheme for Unix Identities. (login=AD username; UID=generated automatically for you; GID=auto-private, same as UID; GECOS=AD display name, Home/Shell = platform defaults).
- Unlike Centrify Express, when using Centrify Standard Edition you have all the flexibility available to you when manipulating UNIX identity attributes like login, UID, GID, GECOS, Home, Shell.
- By default, nobody can access a system Standard Edition using Centrify zones.
- In order to access a system, users need to have a UNIX identity and a Role.
A little bit of planning
In a true implementation, the design dictates the identity strategy and there are two basic questions:
- Are you keeping your existing namespace? (login, uid, gid, etc) OR
- Are you normalizing your namespace? (highly recommended)
Why normalizing is the right thing to do? Well, it comes down to being proactive instead of reactive - maintaining the status quo keeps the same issues that you may have today (like users with different login names or UIDs in different systems). This is what we appropriately call a "centralized mess" once it's migrated; however, you may have a legitimate reason to keep the same scheme because it may be normalized or the systems are too sensitive to get the proper change control necessary for the migration.
Identity Provisioning Process
After all users have been migrated, a process have to be put in place to provision (or deprovision) UNIX identities to (or from) AD users. There are several ways to do it:
- Manually with Access Manager or Active Directory Users and Computers
- Automatically via any Centrify-supplied utilities (zone provisioning agent), PowerShell, adedit
- Automatically with your own program.
For example, with ZPA just by adding (or removing) an AD user to a group, they can automatically get (or lose) their UNIX identity.
Information to be gathered
All it is required is a consolidated file with all users in standard UNIX format. Access Manager can also extract information from a NIS file or from a Deployment Manager database. If you are normalizing your environment, you have to identify and fix inconsistencies like:
- Users with more than one GID
- Users with more than one Home
- Users with more than one Shell
- Users with more than one UID
- UIDs with more than one username associated
The process is very simple:
- Migrate Unix identities from source
- Map the Unix identities to their corresponding AD users
- Accept the changes and assign a role to the user.
- Cleanup (& normalize) local accounts
On the windows (AD) side
First, perform the import
- Save the consolidated user list of /etc/passwd file in a windows-accessible location.
- Open Access Manager and open the target zone that will receive the users.
- Expand the zone and right-click the Unix Data node and select "Import from UNIX" and the import wizard will start in the Select Import Source page
- Select UNIX configuration files and in the /etc/passwd file, browse to the appropriate source (e.g. old-data.txt file) and press Next
- Make the appropriate selections in the select import objects page and press next
- Select "Store in AD" in the Select Destination page.
- Review the summary page and press finish.
At this point, the UNIX identities of the users contained on the file have been imported to AD, the next step is to match the Unix profile with its corresponding AD user and accept the changes.
Identity Mapping and Role Assignment
- Navigate to the Zone > Unix Data > Users > Pending Import. You will see a list of objects that represent the Unix identities imported from the file.
- Select all objects on the list, right click and select "Check Status"
At this point, access manager will do the best job to match the UNiX identity with an AD candidate.
- Review each identity to: make changes in the properties or review the status and make sure that the import candidate is the appropriate user in AD. If a user does not have an AD candidate, you have the ability to create a user account from Access Manager, once finished, select Accept. Repeat until complete with all users.
- At this point accepted entries will be in the Unix Data > Users container (please refresh), and you can still make changes like re-generating a new UID/GID based on the SID.
Normalize (if needed) and remove local accounts
- Optional: If you chose to normalize the namespace (or are using Express), then you have a problem. UIDs in AD are different than the local UIDs, and to complicate things, all files (including home directories) belong to the local user, not the AD user.
Centrify includes another utility (adfixid) that recursively makes the changes in the file system as needed.
In this example, the user jmatthews from AD has a different UID than the local user. If the user types jmatthews in the login prompt, he will be granted access as the AD user and not the local user (since AD goes first); and he will get an error attempting to change his home directory.
- If you did not choose to change the UID/GID scheme for the purposes of normalization, all you need to do is delete the local users. Centrify offers a utility called adrmlocal that is built for that purpose.
Performing a migration (normalizing the namespace) 8min 24 secs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.