Centrify Useful Commands and Information

root's picture

If you do not know what Centrify is, most probably you do not need the commands below. However if you are curious, more info can be found on their website: http://www.centrify.com

In a nut shell, Centrify allows UNIX/Linux/OSX machines to join Active Directory. In Centrify enabled environment, you will have only one AD account to connect on all systems, no matter the platform (Windows, Linux, AIX, Solaris, HP-UX, Mac OS X, etc.).

Centrify AD commands:


(if they are not available in your path, you can find them here: /usr/share/centrifydc/bin)

How to see general information about the AD status of AD joined system:


adinfo

How to query user or groups:


adquery user lameuser1
If you need to see more info, you can add -A parameter:
adquery user -A lameuser1
Example:
$ adquery user lameuser1
lameuser1:x:448725:80000:Lame, User:/home/lameuser1:/usr/bin/ksh
$ adquery group adgroup
adgroup:x:80000:

How to check readiness of machine to join an Active Directory domain:


It is a verification of all requirements before joining a machine. You run this command on the client.
adcheck adgznor.net

How to join a server to Active Directory:


You will need the proper account and password for this command to work.
adjoin adgznor.net -z "Global" -c "adgznor.net/Services/UNIX/Servers" --name `uname -n` -u "SYS_LAMEUSER1@EU.ADGZNOR.NET"

How to remove a server from Active Directory:


When doing adleave, it is advised to not use the force flag, otherwise it will clear-up the status only on a server locally, and not on the Centrify side, where it will need to be manually removed afterwards.
You will need the proper account and password for this command to work.
adleave --verbose -u

How to check authentication issues (if any):


If the auth.log in your machine is in different location, then replace it in the command below.
grep adclient /var/adm/syslog/auth.log

How to reload centrify configuration:


adreload

How to flush the centrify local cache:


adflush

How to see AD map (network state):


adinfo -y netstate

How to check if an AD user is locked:


If true, then it is locked.
adquery user -A lameuser1 | grep accountLocked

How to see the preferred site (DC is choosing it):


adinfo -V

How to reset an account's key table and synchronizes its contents with the key distribution center in Active Directory:


Useful if the server gets into disconnected mode (due to computer password issue - that can be verified in logs like auth.log).
You will need the proper account and password for this command to work.
adkeytab -r -u

How to enable centrifydc debug mode:


You will have to run this command as root or with sudo.
Turn debug on and watch for any errors: /usr/share/centrifydc/bin/addebug on
Clear any previous debug log /var/log/centrifydc.log: /usr/share/centrifydc/bin/addebug clear

How to restart Centrify Agent:


AIX:


date ; ps -ef|grep adcl ; stopsrc -s centrifydc ; sleep 3; startsrc -s centrifydc ; sleep 2; ps -ef|grep adcli ; date ; adinfo ; sleep 1; dzinfo -C

Linux:


date ; ps -ef|grep adcl ; service centrifydc stop ; sleep 3; service centrifydc start ; sleep 1; ps -ef|grep adcli ; date

SunOS:


svcadm disable centrifydc; sleep 5; svcadm enable centrifydc
svcs -a|grep -i centrif ; ps -ef|grep adcl

SunOS v5.8, v5.9:


/etc/init.d/centrifydc stop ; sleep 3; /etc/init.d/centrifydc start

Centrify daemon commands:


How to display detailed information about the DirectAuthorize configuration for a specified user on the local computer:


dzinfo

How to verify computer roles (server roles and group membership):


dzinfo -C

How to execute privileged commands as a specified user on the local computer (works like sudo):


dzdo

how to list the commands an user can do (with dzdo):


dzinfo -c user

How to see which commands the current logged in user can do:


One output line should be like this: (root) !find * -exec *.
dzdo -l

How to edit a file as another user:


It is similar to using dzdo with the -e option.
dzedit

Other related commands:


How to list all users that are managed by CENTRIFY (AD users) in AIX:


lsuser -R CENTRIFYDC ALL

How to list name and GIDs of all groups managed by CENTRIFY (AD groups) in AIX:


(to limit number of groups visible on server us /etc/centrify/group.ovr file)
lsgroup -R CENTRIFYDC -a id ALL

Centrify files:


CENTRIFY configuration files location:


/etc/centrifydc

Centrify enabled samba configuration files location:


/etc/samba

Centrify DirectControl configuration file:


It contains a set of configuration parameters that specify different aspects of Centrify DirectControl operation for the local computer.
/etc/centrifydc/centrifydc.conf

Good to know


How to to map a local user to the Active Directory user with the parameter pam.mapuser.localuser from centrifydc.conf config file:


In the example below, we map the localuser lameuser with AD user lame.user.
pam.mapuser.lameuser: lame.user

How to remove the message "it can only run as user root, default to run as root":


This message pose no problems but if you run it under a script, you may want to get rid of it.
You can achieve this by just specifying the user under which you want to run the desired command. Check the example below and you will get it.
lameuser1@gzadcl(/home/lameuser1)$ dzdo cat /etc/sudoers | head -n 2
It can only run as user root, default to run as root
# sudoers file.
#
lameuser1@gzadcl(/home/lameuser1)$ dzdo -u root cat /etc/sudoers | head -n 2
# sudoers file.
#

Thou shalt not steal!

If you want to use this information on your own website, please remember: by doing copy/paste entirely it is always stealing and you should be ashamed of yourself!
Have at least the decency to create your own text and comments and run the commands on your own servers and provide your output, not what I did!

Or at least link back to this website.