× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

[HOWTO] Using ADFIXID and ADRMLOCAL to clean-up the local unix environment

[HOWTO] Using ADFIXID and ADRMLOCAL to clean-up the local unix environment

By Centrify Advisor I on ‎09-22-2015 09:48 AM - last edited ‎12-21-2015 02:11 AM

 

 

There currently are a lot of great articles on Community and in our Knowledge Base that help you configure and tweak Centrify Server Suite to meet your needs in your Unix and Windows environment.  But there is a lack of online resources that discuss the different tools Centrify provides that can address the clean-up of your unix space including /etc/passwd, /etc/group and local file space ie. home directories.

 

Without diving deep into Hierarchical Zone design, let us assume that you have integrated the use of Centrify Zone Provisioning Agent (ZPA) to auto-provision your unix user and group space, providing the unix environment with brand new and unique UID/GIDs.  These UID/GIDs would be stored in Centrify Zone structure inside of Active Directory and pushed down to your unix environment as needed. 

 

If the UID/GID space was maintained using local files on a server that has been Centrified, the need to perform a clean-up of that local user and group space as well as the local file space should be considered.

 

For example, on a local unix server, the /etc/passwd file has the following entry:

 

[root@engcen5 ~]# tail -4 /etc/passwd

than:x:10057:10057:Than Chariya:/home/than:/bin/bash

wade:x:10063:10063:Wade Tongen:/home/wade:/bin/bash

clyde:x:10025:10025:Clyde Baum:/home/clyde:/bin/bash

tetsu:x:10022:10022:Tetsu Ishii:/home/tetsu:/bin/bash

 

But, the unix server is now relying on Centrify to provide UID/GID for the environment:

 

[root@engcen5 ~]# adquery user

clyde:x:1627391092:1627391092:Clyde Baum:/home/clyde:/bin/bash

tetsu:x:1627391091:1627391091:Tetsu Ishii:/home/tetsu:/bin/bash

than:x:1627391106:1627391106:Than Chariya:/home/than:/bin/bash

 

The first unix command line tool provided by Centrify is adfixid.  Looking at the man page for adfixid shows:

 

adfixid  -  change  the  ownership of a local user’s files to match the user and group IDs defined for the user in Active Directory.

 

If adfixid is run without any flags, the command will display a list of UID/GID that will require ownership changes.

 

[root@engcen5 ~]# adfixid

3 user-id conflicts were found.

Local UID(Name/Map)             Zone UID(Name)          Resolution      ID Map

------------------------------  ----------------------  --------------  ------

10022(tetsu)                    1627391091(tetsu)       Use zone ID     1627391091

10025(clyde)                    1627391092(clyde)       Use zone ID     1627391092

10057(than)                     1627391106(than)        Use zone ID     1627391106

 

3 group-id conflicts were found.

Local GID(Name/Map)             Zone GID(Name)          Resolution      ID Map

------------------------------  ----------------------  --------------  ------

10022(tetsu)                    1627391091(tetsu)       Use zone ID     1627391091

10025(clyde)                    1627391092(clyde)       Use zone ID     1627391092

10057(than)                     1627391106(than)        Use zone ID     1627391106

 

If adfixid –c/--commit is run, the file ownerships UID/GID will change to what specified in AD.

If adfixid –C/--commit-all is run, the file ownerships UID/GID will change and /etc/passwd and /etc/group will be updated.

 

Running adfixid –C returns:

 

[root@engcen5 ~]# adfixid -C

15 file(s) changed

 

Examining the local files returns:

 

[root@engcen5 ~]# tail -4 /etc/passwd

than:x:1627391106:1627391106:Than Chariya:/home/than:/bin/bash

wade:x:10063:10063:Wade Tongen:/home/wade:/bin/bash

clyde:x:1627391092:1627391092:Clyde Baum:/home/clyde:/bin/bash

tetsu:x:1627391091:1627391091:Tetsu Ishii:/home/tetsu:/bin/bash

 

[root@engcen5 ~]# cat /etc/group | grep 1627

tetsu:x:1627391091:

clyde:x:1627391092:

than:x:1627391106:

 

Keep in mind that adfixid command provides for additional options through flags.  Unix administrators might want to use the –report feature to output the list of files that have their UID/GID changed.

 

Taking the clean-up task one step further, since the majority of the UNIX user and group identity information is now store in AD, clean-up of the /etc/passwd and /etc/group file should be the next task.  Centrify provides an additional command line utility adrmlocal that removes entries from local files that exist in AD. 

 

A quick look-up of the adrmlocal man page shows:

 

adrmlocal - reports and removes local user names that duplicate Active Directory user names

 

If adrmlocal is run without any flags, a quick report on the changes that will be made is displayed;no changes will be made:

 

[root@engcen5 ~]# adrmlocal

3 local user(s) that are duplicated with AD users:

  than:uid(1627391106):gid(1627391106):ADuid(1627391106):ADgid(1627391106)

  clyde:uid(1627391092):gid(1627391092):ADuid(1627391092):ADgid(1627391092)

  tetsu:uid(1627391091):gid(1627391091):ADuid(1627391091):ADgid(1627391091)

 

 

4 local group(s) that are duplicated with AD groups:

  sysadm:gid(230):ADgid(230)

  tetsu:gid(1627391091):ADgid(1627391091)

  clyde:gid(1627391092):ADgid(1627391092)

  than:gid(1627391106):ADgid(1627391106)

 

 

Command summary

Users:

  3 duplicated local user(s) to be removed

  0 duplicated local user(s) in ignore list

  0 duplicated local user(s) deleted

  0 error(s) found when removing a local user

Groups:

  4 duplicated local group(s) to be removed

  0 duplicated local group(s) in ignore list

  0 duplicated local group(s) deleted

  0 error(s) found when removing a local group

 

adrmlocal requires one of three flags to be added to make changes; -i/--interactive will step through each entry for removal, -c/--commit will delete all duplicates found and prompt for any conflicts and –f/--force will delete all entries without prompting.

 

[root@engcen5 ~]# adrmlocal -i

3 local user(s) that are duplicated with AD users:

  than:uid(1627391106):gid(1627391106):ADuid(1627391106):ADgid(1627391106)

  clyde:uid(1627391092):gid(1627391092):ADuid(1627391092):ADgid(1627391092)

  tetsu:uid(1627391091):gid(1627391091):ADuid(1627391091):ADgid(1627391091)

 

Remove duplicated local users

than:uid(1627391106):gid(1627391106):ADuid(1627391106):ADgid(1627391106)

  Delete local user than ? (Yes/No)

y

executing command (/usr/sbin/userdel than )...

  Local user than is deleted

clyde:uid(1627391092):gid(1627391092):ADuid(1627391092):ADgid(1627391092)

  Delete local user clyde ? (Yes/No)

y

executing command (/usr/sbin/userdel clyde )...

  Local user clyde is deleted

tetsu:uid(1627391091):gid(1627391091):ADuid(1627391091):ADgid(1627391091)

  Delete local user tetsu ? (Yes/No)

y

executing command (/usr/sbin/userdel tetsu )...

  Local user tetsu is deleted

 

Command summary

Users:

  3 duplicated local user(s) to be removed

  0 duplicated local user(s) in ignore list

  3 duplicated local user(s) deleted

  0 error(s) found when removing a local user

 

Keep in mind that these commands can only be run with elevated root privileges.  As always, backup your local files prior to running adfixid or adrmlocal.

Comments
By centrify_devops
on ‎01-07-2016 12:19 PM

I wrote a script just to do this. Kudo!

By Centrify Advisor I
on ‎01-07-2016 12:58 PM

You should post your script for community members to see.

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel