Join Linux/Unix Computers to a Domain and Zone
You have completed the preparation of the environment and added existing users and groups to Active Directory. The steps up to this point have not affected the day-to-day activities of any UNIX/Linux users or groups, and have not changed the configuration of any UNIX/Linux computers. The final step in the migration requires you to join UNIX computers to the Active Directory domain. This step does have the potential to affect end-users.
This section describes how to complete the migration by joining the target set of computers to an Active Directory domain and a Privilege Control zone.
Using Adjoin on New Computers
You can run the adjoin command interactively or in a script to join UNIX/Linux computers to Active Directory. One advantage to using the adjoin command is that it enables you to add the join operation to the steps for building a new UNIX/Linux computer. For example, if you have a process for provisioning a new UNIX/Linux computer, you can add an adjoin step that allows the new UNIX/Linux computer to join itself to Active Directory. Provisioning new computers to join the domain when they are built ensures that there are no new local users being defined on those UNIX/Linux computers.
Running Adjoin Requires Unix and Active Directory Privileges
On UNIX, running adjoin
requires you to log on as root, be a member of the wheel group, or have root equivalent privileges in the sudoers
file. On Mac OS X computers, adjoin
requires the administrator account and password.
Specifying the Required Options
The basic syntax for the adjoin command is:
adjoin [options] domain_name [--zone zone_name | --workstation]
The domain_name
should be a fully-qualified domain name; for example, sales.acme.com. If you are using adjoin to provision new computers, there are several options you should specify on the command line or in the script.
-
Use the
--container
or-c
option to specify the location for the computer account. Typically, you should use the organizational unit that you created for UNIX Servers and Workstation under the top-level UNIX organizational unit. It must be the location you used when you pre-created the computer object. For example:-c “ou=UNIX Server and Workstations,ou=UNIX”
-
Use the
--selfserve
or-S
option to specify that you want the computer to join itself to the Active Directory domain. -
Use the
--zone
or -z option to specify the name of the zone to join. You must specify a zone name unless you are joining Auto Zone using the--workstation
option. -
If you have a disjointed DNS environment where the Active Directory domain for the computer account does not match the name of the DNS domain, you must also specify the -name and
--alias
options. The--name
option specifies the name of the Active Directory computer object and the--alias
will be the fully-qualified DNS name of the computer. -
Use the
--computerpassword
or-X
to specify the password of the precreated computer account. You must also specify either--precreate
or--selfserve
. If you don't specify the password, the default password will be used.
For example, update your provisioning process for a new computer to include a command similar to the following:
adjoin -c "ou=UNIX Server and Workstations,ou=UNIX" -S -z production arcade.net
For complete information about adjoin options, see the adjoin man page.
Pre-staging Before Using Adjoin on a New Machine
When joining a large AD environment, the join procedure can take a very long time -- up to dozens of minutes. This becomes a concern in some use cases, such as starting an Amazon EC2 instance that needs to join the domain to provide service.
To speed up the adjoin process, the adjoin --prestage
option uses existing cache files instead of populating cache from scratch.
Some preparation is required to take advantage of the --prestage
option:
- Prepare a pre-staged cache directory on a joined machine
- Copy the cache directory to the new machine
Security Requirements
To use the --prestage
option, ensure the following:
-
Joined and new machine requirements:
- The
--prestage
option can only be used between machines that have the same platform, architecture, and Authentication Service (Centrify DirectControl) release version installed. - Adclient cache data encryption feature cannot be enabled on the joined machine. See the adclient.cache.encrypt parameter.
- The
-
Pre-staged cache directory on joined machine requirements:
- On a joined machine, create or designate a directory for the pre-staging cache files.
- The directory must be in a safe path. That means all levels of parent directories are owned by system accounts.
- The directory cannot be either group or world writable.
- On a joined machine, create or designate a directory for the pre-staging cache files.
-
Content for the pre-staged cache directory on the joined machine:
- Place the cache files (dz.cache, dc.cache, gc.cache,.idx and kset. files) in the specified directory.
- Ensure the cache files are owned by system accounts.
- Files cannot be either group or world writable.
- Symlink is not allowed for the cache files.
-
Zone hierarchy changes are not allowed between the staging directory and the new machine. This includes:
- zone name change
- zone GUID change
- zone schema change
Preparing to Use the --prestage Option
-
Create a directory on a joined machine. For example, /pre.
-
Stop
adclient
on that machine. -
Copy the
/var/centrifydc/
directory to the pre-staged directory on the joined machine.For example:
Copying the
/var/centrifydc/
directory to the pre-staged directory, /pre, places a copy of the required files in/pre/centrifydc
/. -
Verify the pre-staged directory on the joined machine contains all the .idx, .cache, and kset. files.
-
Copy the pre-staged directory to the new machine.
Use a method of your choice, such as scp or sftp.
This is done so the pre-staged files are available locally on the new machine.
-
Add the option to the adjoin command when adding the new machine. The syntax is:
-E | --prestage <directory>
where directory is the path to the pre-staged directory on the new machine.
For example, if the pre-staged files are in directory,
/pre/centrifydc/
, use the following adjoin command.adjoin -z <zone> -E /pre/centrifydc<domain>
Verify Authentication After Joining the Domain By Logging On
As the final step in the initial migration, you should verify that authentication for an Active Directory user is successful. You can do this by logging on to the UNIX console using either the UNIX user name or the Active Directory User Principal Name for a user assigned to the UNIX Login role. When prompted, type the Active Directory password for the account. If you are able to log on using the Active Directory password, you know that authentication is being handled by Active Directory and the user account has been successfully migrated.
You should also verify that you can log on remotely using a secure shell (ssh) connection and that you can use other services such as ftp.
If users have trouble logging on after a UNIX/Linux computer has joined the domain, it is typically because they’re not assigned the UNIX/Linux Login role or don’t have a valid UNIX/Linux profile in the zone. You can use the Show Effective UNIX/Linux User Rights command to check which users have profiles and what roles have been assigned to users who have access to the selected computer.