Joining a Domain

To begin authenticating users and authorizing access to Linux and UNIX computers and resources, you must first add the computers you want to manage to the appropriate Active Directory domains in one or more Active Directory forests. You can do this by running the adjoin command interactively or by using the adjoin command in a script. A successful join operation is what converts a Linux or UNIX computer into a Delinea-managed computer.

Connecting to the Domain Controller

To add a new computer to a domain, you must specify the domain you want to join. The adjoin program then locates an appropriate domain controller for the domain you specify and connects to Active Directory through that domain controller. By default, the domain controller to contact is determined by the Active Directory site topology. If the nearest domain controller in the site is not available, the agent attempts to connect to the next closest domain controller in the site. If no domain controller can be contacted or the connection takes too long to complete, the join operation fails.

If you don’t want to agent to select a domain controller based on the site topology, you can specify a master domain controller on a zone-by-zone basis. If you specify a master domain controller, the agent will connect to the appropriate domain controller based on the zone you are joining.

What Happens During the Join Operation

If the Delinea Agent can successfully connect to an Active Directory domain controller, it performs a series of key tasks to complete the join operation. For example, during the join operation, the adjoin program completes the following tasks:

  • Starts the Delinea Agent for *NIX adclient process.

  • Checks whether a computer account already exists for the local computer in Active Directory. It creates a new Active Directory computer account for the local computer, if needed.

  • Sets the password on the Active Directory computer account to a randomly-generated password. The password is encrypted and stored locally on the UNIX host to ensure that only the Delinea Agent has control of the account.

  • Updates the Kerberos service principal names used by the host computer, generating new a Kerberos configuration file and krb5.keytab entries, and generating new service keys for the host and http services.

  • Synchronizes the local computer’s time with Active Directory to ensure the timestamps for Kerberos tickets are accepted for authentication.

After Joining a Domain

By default, computers function exactly the same after joining the domain as they did before joining the domain. Local users can continue to log on and existing programs and applications can continue to work as they did before joining the domain. The primary difference after joining the domain is that you have more complete control over access to the computer and what Active Directory users who are granted access can do. You will also have more tools at your disposal for managing computer properties and operations. For example, after joining a domain, you can use any combination of the following tools:

  • Access Manager

  • Access Module for Windows PowerShell

  • ADEdit command line programs and scripts

  • Active Directory Users and Computers

  • Group Policy Management console and Delinea group policies

You can use any of these tools to add Active Directory users to the appropriate zones, and to define and assign appropriate rights and roles for the users who need access to Linux and UNIX computers.

Joining a Domain and Zone with the Adjoin Command

In most cases, you add a computer to the domain by running the adjoin command directly on a local computer. You run this command once for each Linux or UNIX computer you want to add to a domain in the forest. Using the administrator or a designated user account, you can run the command interactively at the command line or include the command in a script to automate joining a domain.

Specifying the Most Common Arguments

Whether you join the domain interactively from the command line or using a script, you must specify a few required arguments. You might also need to specify several additional arguments, such as a user name and password for an account with permission to join the domain, an alias for the computer in Active Directory, or the organizational unit in which to place the computer.

The most common format for the adjoin command is:

Copy 
adjoin --user username --zone zonename domain

For example, the following command illustrates the most common format for the adjoin command:

Copy 
adjoin --user shea@acme.com --zone LinuxDev sales.acme.com

This command connects to Active Directory as the user shea@acme.com to add the local computer to a previously-created zone called LinuxDev zone and to the sales.acme.com domain. In this example, the zone and domain name are required. The user name is not a required argument—if not specified the adjoin command would prompt for the Administrator account password. However, because the user shea is a member of the acme.com domain rather than the sales.acme.com domain, the user account must be specified in the user_name@domain_name format.

Because the password is not specified in the command line, the adjoin program prompts for the Active Directory password to authenticate the shea@acme.com account before connecting to Active Directory.

In most cases, you should avoid including the password for an account as part of the adjoin command line for security reasons. If you are using adjoin in a script, however, you must include the --password option or provide another mechanism for inputting a valid password. For more information about adjoin command line options and running adjoin commands, see the adjoin man page.

If the adclient process is able to connect to Active Directory and the join is successful, a confirmation message is displayed. By default, the join operation adds the new computer account to Active Directory in the domain_name/Computers container. If the connection to Active Directory fails, a warning message is displayed and the join operation fails.

Using the Self-Serve Option for a Previously-Created Computer Account

If you have previously prepared a computer account in Active Directory as described in Preparing computer accounts before joining, you can use the selfserve (-S) option to join a domain without specifying a user name and password. For example, you can run a command similar to the following to join the domain:

Copy 
adjoin --selfserve domain

For example:

Copy 
adjoin --selfserve cendura.org

Note that you must specify the domain to join but not the zone—the computer is automatically joined to the zone in which the computer object was pre-created.

If you want to preserve service principal names (SPN) configured in the centrifydc.conf, use the adjoin command option

Copy 
-r spn or --useConf spn

This option only works in conjunction with the -S, --selfserve command.

Joining a Domain in Workstation Mode

In most cases, zones are required if you are adding Linux and UNIX computers to Active Directory to address account migration and role-based access rights. However, it is possible to deploy without using zones to organize computers, rights, roles, and other information.

The workstation mode is intended for computers that function in the same way as Windows workstations where any valid user can log on to any computer that is joined to the domain. In general, workstations do not require you to manage identity attributes, such as UIDs and GIDs, or access-related attributes, such as the hours a user is allowed to log on. To mirror this behavior for Linux and UNIX computers, the workstation mode automatically creates a local user profile for users when they log on and does not apply any access rules unless you configured them for the user account in Active Directory.

Computers that join the domain using workstation mode are added to a single Auto Zone and are treated the same as Windows workstations, and are managed by Active Directory and group policy settings. You can use the workstation mode and Auto Zone for any computers that do not require profile management or role-based access controls. You can also have any combination of workstation computers that don’t require profile management and access control and workstations and servers that do require profile management, access control, hierarchical zones. For more information, see Using workstation mode and Auto Zone.

To join a domain using workstation mode instead of zones, you can run a command similar to the following:

Copy 
adjoin --workstation --user username domain

For example:

Copy 
adjoin --workstation --user kai.rodriguez cendura.org

This command adds the local computer to a single Auto Zone. The Auto Zone requires no configuration and there are no properties, user profiles, or access rights to manage. All Active Directory users and groups in the forest, or in forests with a two-way trust, can access the computers in the Auto Zone.

Joining the Domain Using the Computer Account

On the computer to which you have given administrative rights, run the adjoin command and set the user name parameter to the computer name with a dollar sign ($) appended and the password to the computer name.

Copy 
adjoin domain --zone zoneName --user computername$ --password computername

For example, if the computer name is valencia and the Active Directory domain is arcade.com, you would run a command similar to the following:

Copy 
adjoin arcade.com --zone finance --user valencia$ --password valencia