Server Suite

Unix and Linux Evaluation Guide

Version: 2024.x
Publication Date: 10/17/2024

© Delinea, 2024
Server Suite Unix and Linux Evaluation Guide
Version: 2024.x, Publication Date: 10/17/2024
© Delinea, 2024

Warranty Disclaimer
DELINEA AND ITS AFFILIATES, AND/OR ITS AND THEIR RESPECTIVE SUPPLIERS, MAKE NO REPRESENTATIONS
ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS, THE
SOFTWARE AND SERVICES, AND OTHER MATERIAL PUBLISHED ON OR ACCESSIBLE THROUGH THIS SITE FOR ANY
PURPOSE. ALL SUCH MATERIAL IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. DELINEA AND ITS
AFFILIATES, AND/OR ITS AND THEIR RESPECTIVE SUPPLIERS, HEREBY DISCLAIM ALL WARRANTIES AND
CONDITIONS WITH REGARD TO SUCH MATERIAL, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
THE MATERIAL PUBLISHED ON THIS SITE COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL
ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. DELINEA AND ITS AFFILIATES,
AND/OR ITS AND THEIR RESPECTIVE SUPPLIERS, MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE MATERIAL
DESCRIBED HEREIN AT ANY TIME.
Disclaimer of Liability
IN NO EVENT SHALL DELINEA AND ITS AFFILIATES, AND/OR ITS AND THEIR RESPECTIVE SUPPLIERS, BE LIABLE
FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, PROFITS OR
OTHER ECONOMIC ADVANTAGE) OR ANY DAMAGES WHATSOEVER, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE, OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF SOFTWARE, DOCUMENTS, PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR MATERIAL
AVAILABLE FROM THIS SITE.
Table of Contents

Table of Contents
Unix and Linux Evaluation Guide i

Evaluation Guide for Linux and Unix 1

Intended Audience 1
Using this Guide 1

Preparing Hardware and Software for an Evaluation 1

What You Need for the Evaluation 2
Windows Computer Requirements 2
Linux and UNIX Computer Requirements 3
Domain Controller Requirements 3
Verifying Administrative Access for the Evaluation 4
Checking the DNS Environment 4
Using a Virtual Environment 4
Downloading Server Suite Software for UNIX Evaluations 5
Downloading Server Suite Windows Software 5
Downloading the Linux and UNIX Agents 5
Verifying that You Have Active Directory Permissions 6
Next Steps 7

Configuring the Basic Evaluation Environment 7

Creating an Organizational Unit 7
Create Additional Organizational Units 7
Delegating Control for the Organizational Unit 8
Installing and Configuring Access Manager 9
Starting Access Manager for the First Time 10
Creating the First Zone 10
Installing the Server Suite Agent for *NIX 12
Joining the Domain 13
Verifying your Progress in Access Manager 13
Adding and Provisioning an Evaluation User and Group 14
Verify Access by Logging On 14
Creating a UNIX Administrator Role 15
Defining a Command Right and a New Role 16
Verifying Administrative Privileges 17
Viewing Effective Rights 18
Creating Child Zones and a Service Administrator Role 18
Defining Command Rights and a New Role for Apache Administrators 19
Verifying the Success of the Script 20
Adding Rights to the New Role Definition 20
Assigning the Apache Administrator Role to a Group 21
Deploying Group Policies to UNIX Computers 21
Configuring User Mapping by Group Policy 22
Configuring Password Prompts 22

Delinea Server Suite Unix and Linux Evaluation Guide iii

Table of Contents

Next Steps 23

Exploring Additional Management Tools 23

Adding UNIX Profiles Automatically 23
Managing UNIX Information from a UNIX Terminal 24
Using UNIX Commands 24
Using ADEdit 25
ADEdit Application 26
ade_lib Tcl Library 26
Using adedit Sample Scripts 26

Next Steps 28

Auditing Sessions 28
Install Auditing Components on Windows 28
Configure a New Audit Installation 29
Enabling Linux Desktop Auditing 29
Verify that Auditing is Enabled 30
Viewing Sessions with Predefined Queries 31
Replaying a Session 31
Managing Audited Sessions 32
Using Command Summaries 32
Exporting Sessions 33
Viewing and Editing Session Properties 33
Updating Review Status for a Session 33
Deleting Sessions 33
Creating Custom Queries 34

Frequently Asked Questions 35

How Do I Accommodate Legacy or Conflicting Identity Information? 35
Can I have Separate Role Assignments for Specific Computers? 36
How Can I Manage Access Rules for Computers in Different Zones? 36
How do I Manage Access Privileges during Application Development? 37
How do I Terminate a User Account but Keep the Account Profile? 37
Can Active Directory Credentials be used to Log in to Applications? 38
Can Active Directory Credentials be used for Phone and Tablet Users? 38
How Do I Migrate from NIS Maps to Server Suite? 38

Removing Software after an Evaluation 38

Removing Authentication and Privilege Services 39
Removing the Audit and Monitoring Service 39
Removing Server Suite Agents 39

Delinea Server Suite Unix and Linux Evaluation Guide iv

Evaluation Guide for Linux and Unix

Evaluation Guide for Linux and Unix

The Server Suite Evaluation Guide for Linux and UNIX describes how to install and configure the Server Suite
software on a Windows computer joined to an Active Directory domain controller and on the Linux and UNIX
computers you want to manage. After you install the software, you can follow the steps in this guide to create Active
Directory users and groups and set up a test environment with Server Suite zones, roles, privileges, and group
policies. Through this test environment, you can see how Server Suite enables you to control users access,
manage privileges, and monitor activity on UNIX and Linux computers in your organization.

Intended Audience
This guide is for system and network administrators who want to evaluate Server Suite software. The guide
assumes you have a working knowledge of Windows Server and Active Directory and are familiar with Active
Directory features, functionality, and terminology. This guide also assumes you are familiar with the Linux or UNIX-
based computers you plan to manage and how to perform common administrative tasks.

Using this Guide

Server Suite provides an integrated set of software components that centrally control, secure, and audit user
access to servers, workstations, mobile devices, and applications through Microsoft Active Directory. The purpose
of this guide is to give you hands-on experience using Server Suite software to manage identities, access
privileges, and administrative tasks on UNIX and Linux computers.
The guide is divided into the following chapters:
n Preparing Hardware and Software for an Evaluation describes what you will need and how to prepare for the
evaluation.
n Configuring the Basic Evaluation Environment provides step-by-step instructions for setting up the evaluation
environment.
n Exploring Additional Management Tools describes the features of Server Suite software that reduce complexity
and ease the workload in large organizations.
n Auditing Sessions describes how you can audit user activity and search and replay user sessions.
n Frequently Asked Questions provides answers to the most common questions about Server Suite products and
features.
n Removing Software after an Evaluation describes how to optionally uninstall Server Suite software.

Preparing Hardware and Software for an Evaluation

This chapter describes the hardware and software you need to prepare for the evaluation of Server Suite software.
It includes instructions for downloading SErver Suite software from the Delinea website if you do not have the CD
and the permissions required to install and configure the evaluation environment.

Delinea Server Suite Unix and Linux Evaluation Guide Page 1 of 40

Preparing Hardware and Software for an Evaluation

n What You Need for the Evaluation

n Verifying that You Have Active Directory Permissions
n Checking the DNS Environment
n Using a Virtual Environment
n Downloading Server Suite Software for UNIX Evaluations
n Verifying that You Have Active Directory Permissions
n Next Steps

What You Need for the Evaluation

To follow the instructions in this guide, you need a simple configuration of networked Windows domain computer,
Windows Server domain controller, and a Linux, UNIX, or Mac OS X computer to manage as illustrated in the
following example.

To complete this evaluation, you install Server Suite software on two physical or virtual computers:
n Authentication & Privilege and Audit components on a Windows computer joined to an Active Directory
domain.
n Server Suite Agent for *NIX on a supported Linux-based or UNIX-based platform that you want to manage.

In most organizations, Server Suite software is not installed on the domain controller. However, you must be able to
connect to a domain controller from the other two computers to complete the evaluation.
n Windows Computer Requirements
n Linux and UNIX Computer Requirements
n Domain Controller Requirements

Windows Computer Requirements

You use the Windows computer where Access Manager is installed to perform most of the procedures described in
this guide.
Before installing on Windows, check that you have a supported version of one of the Windows operating system
product families.
For details about supported platforms, please consult the release notes.

Delinea Server Suite Unix and Linux Evaluation Guide Page 2 of 40

Preparing Hardware and Software for an Evaluation

You should also verify that you have the .NET Framework, version 4.5 or later, installed. If the .NET Framework is
not installed, the setup program can install it for you. Alternatively, you can download the .NET Framework from the
Microsoft Download Center, if needed.
The Windows computer should have the following minimum hardware configuration:

Component Minimum Requirement

CPU speed 550 MHZ

RAM 256 MB

Disk space 1.5 GB

You should also verify that the Windows computer you plan to use for the evaluation is joined to the Active Directory
domain.

If you are installing the software on virtual computers, see Using a Virtual Environment for additional
guidelines.

Linux and UNIX Computer Requirements

A platform-specific Server Suite Agent for *NIX must be installed on each computer you want to manage through
Active Directory. Delinea supports several hundred distributions of popular operating systems, including AIX, HP-
UX, and Solaris versions of the UNIX operating environment and both commercial and open source versions of the
Linux operating system. For the most complete and most up-to-date list of supported operating systems and
vendors, see the supported platforms listed in the release notes.
You can download platform-specific agent packages from the Delinea Customer Download Center if you register
for a free account. You can also download agents for free from the Delinea Server Suite Free website.
The UNIX or Linux computer must be connected to the same network as the domain controller.

Domain Controller Requirements

For the Active Directory domain controller, you should verify that you have access to a computer with a supported
version of the Windows Server product family and is configured with the domain controller and DNS server roles.
For details about supported platforms, please consult the release notes.
In addition, you should verify that the domain functional level is at least Windows Server 2008 R2.
To determine the domain functional level

1. Open Active Directory Users and Computers (dsa.msc).

2. Select the domain.
3. Select Action, then click Raise domain functional level.
If the current domain functional level is not at least Window Server 2008 R2, use the drop down list to raise the
level.

Delinea Server Suite Unix and Linux Evaluation Guide Page 3 of 40

Preparing Hardware and Software for an Evaluation

Verifying Administrative Access for the Evaluation

To prepare for the evaluation, you should confirm that you have the local Administrator account and password for
the root domain of the Active Directory forest. The forest root Administrator account is the account created when
you install the first Windows Server in a new Active Directory site.
If you set up a separate Active Directory domain for testing purposes, you should have this account information. If
you are using an existing Active Directory forest that was not expressly created for the evaluation, you should
identify the forest root domain and confirm that you have an account that is a member of the Domain Admins group
on the Windows computer you use for the Access Manager console. This ensures that you have all the permissions
you need to perform the procedures in this evaluation.
If you are not a member of the Domain Admins group on the Windows computer you use for the Access Manager
console, have the Active Directory administrator create a separate organizational unit for Delinea objects and
delegate control of that organizational unit to the user account you are using for evaluation. For more information
about delegating control, see Delegating control for the Delinea organizational unit.
You should also verify that Administrative Tools are visible in the Start menu on the Windows computer you are
using for the evaluation. If the Administrative Tools option is not displayed, download and install the Microsoft
Remote Server Administrator Tools from the Microsoft website. For download and installation instructions, see
http://www.microsoft.com/en-us/download/details.aspx?id=7887.

Checking the DNS Environment

The Server Suite Agent is designed to perform the same set of DNS lookups that a typical Windows computer
performs in order to find the nearest domain controller for the local site. For example, the Server Suite Agent for
*NIX looks for service locator (SRV) records in the DNS server to find the appropriate controller for the domain it has
joined.
In most cases, when you configure the DNS Server role on a Windows computer, you configure it to allow dynamic
updates for Active Directory services. This ensures that the SRV records published when a domain controller
comes online are available in DNS. If your DNS Server is configured to prevent dynamic updates, however, or if you
are not using the Window computer as the DNS server, the Server Suite Agent for *NIX might not be able to locate
the domain controller.
Do the following to ensure the UNIX computer can look up the SRV records in the DNS server for the evaluation
environment:
n Configure the DNS Server role on the Windows computer to Allow secure dynamic updates.
n Make sure that each UNIX or Linux computer you are using includes the Windows DNS server as a nameserver
in the /etc/resolv.conf file.

When you configure the DNS Server, you should configure it to perform both forward and reverse lookups and to
allow secure dynamic updates.

Using a Virtual Environment

To simplify the hardware requirements, you might find it useful to set up your evaluation environment using either
Microsoft Virtual PC or VMware Workstation. To set up a virtual environment, you need a computer with enough

Delinea Server Suite Unix and Linux Evaluation Guide Page 4 of 40

Preparing Hardware and Software for an Evaluation

CPU, RAM, and available disk space to run three virtual machines simultaneously. Delinea recommends the
following minimum configuration:
n CPU: at least 1.70 GHz
n RAM: at least 8 GB
n Available disk space: 15 GB

The virtual environment should also be configured to run as an isolated evaluation environment using Local/Host-
only or Shared/NAT networking.
In addition, because the virtual environment runs as an isolated network, each virtual machine should be manually
assigned its own static TCP/IP address and host name.

Downloading Server Suite Software for UNIX Evaluations

You can go to the Delinea website to sign up for a free trial. Once you're signed up with an account, you can
download the software.
To register for a Delinea free trial

1. Navigate to https://www.centrify.com/free-trial/.
2. Enter your contact and company information, click the check box to indicate that you agree to the terms of use
and privacy policy, and then clickStart My Trial.

Note: You will receive an email with the next steps in downloading your free trial.

Downloading Server Suite Windows Software

You can download all of the components for Server Suite from the Delinea website to your Windows computer.
Before you begin, be sure you have the email address and password you used to register for your trial.
To download the Windows software for Server Suite

1. Open a browser on the Windows computer you plan to use for the evaluation and go to www.centrify.com.
2. In the upper area of the web page, click Login.
3. Enter your email address and your account password, then click Login.
4. Go to Support > Downloads.
5. Select Zero Trust Privileges - Enterprise to locate the latest software bundles.
6. Next to the latest version for 64-bit Windows systems, click either the ISO or ZIP button to download the
software in that format.
The latest version of the Windows software bundle is called Server Suite.
7. Close the window when the download is complete.

Downloading the Linux and UNIX Agents

You can download individual platform-specific packages directly from the Delinea website to a local Linux or UNIX
computer.

Delinea Server Suite Unix and Linux Evaluation Guide Page 5 of 40

Preparing Hardware and Software for an Evaluation

To download UNIX and Linux agent packages

1. Open a browser on the Linux or UNIX computer you plan to use for the evaluation and go to www.centrify.com.
2. In the upper area of the web page, click Login.
3. Enter your email address and your account password, then click Login.
4. Go to Support > Downloads.
5. If you want the bundle that has all of the UNIX/Linux agents:
a. Select Zero Trust Privileges - Enterprise to locate the latest software bundles.
b. Next to the Agents for UNIX/Linux - All-in-One disk, click either the ISO or ZIP button to download the
software in that format.
6. If you want the agent package just for your specific UNIX/Linux system:
a. Select Authentication Service to locate the latest software bundles for the various *NIX systems.
b. Next to the Agent for your preferred operating system, click the TGZ button to download the software in that
format.

Verifying that You Have Active Directory Permissions

Many of the procedures in this guide add or modify Active Directory user, group, and computer accounts. You
should verify you have the appropriate Active Directory permissions to make these kinds of changes in the
evaluation environment. If you are not an Active Directory administrator or a domain administrator, you might not
have access to the domain controller or sufficient permission to modify Active Directory objects and attributes.
To conduct the evaluation, have an Active Directory administrator create an organizational unit for you to use and
delegate full control of the organizational unit to you. For more information about creating an organizational unit and
delegating control, see the following topics:
n Creating an organizational unit for Delinea
n Delegating control for the Delinea organizational unit

In addition to the organizational unit for Delinea objects, you need to have Log on as a service user access rights to
start the Zone Provisioning Agent included in the package.
To confirm that your account has “Log on as a service” access rights

1. Open the Windows Administrative Tools Local Security Policy.

2. Expand the Local Policies node and select User Rights Assignments.
3. Scroll down to Log on as a service and double-click to display properties for this right.
4. Click Add User or Group.
5. Type the user or group name or click Browse to search for and select your account, then click OK to add this
right to your account in the Local Security Setting.

Delinea Server Suite Unix and Linux Evaluation Guide Page 6 of 40

Configuring the Basic Evaluation Environment

Next Steps
This concludes the site preparation, Server Suite software download, and permissions assessment. You are now
ready to install the software and create the fundamental elements of the evaluation environment.

Configuring the Basic Evaluation Environment

In this chapter, you install Server Suite software on your evaluation computers and configure users, groups, roles,
and group policies to integrate the UNIX environment into Active Directory. After you complete these steps, your
UNIX or Linux computer will be a Server Suite-managed computer that is joined to the Active Directory domain,
allowing UNIX users to log in using their Active Directory credentials.
Complete the tasks in order, as described in the following sections.
n Creating an Organizational Unit
n Delegating Control for the Organizational Unit
n Installing and Configuring Access Manager
n Installing the Server Suite Agent for *NIX
n Adding and Provisioning an Evaluation User and Group
n Creating a UNIX Administrator Role
n Creating Child Zones and a Service Administrator Role
n Deploying Group Policies to UNIX Computers
n Next Steps

Creating an Organizational Unit

To isolate the evaluation environment from other objects in Active Directory, you can create a separate
organizational unit for all of the Delinea-specific objects that are created and managed throughout the evaluation.
You must be the Active Directory administrator or have Domain Admins privileges to perform this task.
To create an organizational unit for Delinea

1. Open Active Directory Users and Computers and select the domain.
2. Right-click and select New > Organizational Unit.
3. Deselect Protect container from accidental deletion.
4. Type the name for the organizational unit, for example, Delinea, then click OK.

Create Additional Organizational Units

Additional organizational units are not required for an evaluation. In a production environment, however, you might
create several additional containers to control ownership and permissions for specific types of Delinea objects. For
example, you might create separate organizational units for UNIX Computers and UNIX Groups.

Delinea Server Suite Unix and Linux Evaluation Guide Page 7 of 40

Configuring the Basic Evaluation Environment

To illustrate the procedure, the following steps create an organizational unit for the Active Directory groups that will
be used in the evaluation to assign user access rights to the Delinea-managed computers within the top-level
organizational unit for Delinea-specific objects.
To create an organizational unit for evaluation groups

1. In Active Directory Users and Computers, select the top-level organizational unit you created in Creating an
organizational unit for Delinea.
2. Right-click and select New > Organizational Unit.
3. Deselect Protect container from accidental deletion.
4. Type the name for the organizational unit, for example, UNIX Groups, then click OK.

In later exercises, you will use this organizational unit and add other containers to manage additional types of
information.

Delegating Control for the Organizational Unit

To allow another person who is not an Active Directory administrator to perform all of tasks in the evaluation, you
can delegate control of the Delinea organizational unit to that person. If you are an Active Directory administrator or
a member of the Domain Admins group in the evaluation domain, you can skip this step.
To delegate control of the organizational unit for Delinea

1. Open Active Directory Users and Computers and select the domain.
2. Select the top-level organizational unit for Delinea objects, Delinea.
3. Right-click, then select Delegate Control.
4. In the Delegation of Control wizard, click Next.
5. Click Add.
6. Search for and select the user or group for delegation, then click Next.

Delinea Server Suite Unix and Linux Evaluation Guide Page 8 of 40

 Configuring the Basic Evaluation Environment

7. Select the tasks to delegate, then click Next.

At a minimum, select the following common tasks:
n Create, delete, and manage user accounts
n Reset user passwords and force password change at next logon
n Read all user information
n Create, delete, and manage groups
n Modify the membership of a group
8. If you are delegating the task of joining computers to a zone, you can specify the scope of computers you can
join to the zone; you pick a container in Active Directory to grant access to.
If you leave the scope blank, the scope is the domain root. Be aware that the postalAddress field is used for
information about joining computers to azone; if you lookup the permissions for people you've delegated the
task ofjoining computers to a zone, they'll have permissions to the postalAddress field for the affected
computers.
9. Click Finish.

Installing and Configuring Access Manager

You are now ready to install Access Manager and other components on the Windows computer you are using for
the evaluation.
To install components on the Windows computer

1. On the physical or virtual computer where you downloaded Server Suite software, double-click autorun.
2. On the Getting Started page, click Authentication & Privilege.
3. On the Welcome page click Next.
4. Review the terms of the license agreement, click I agree to these terms, then click Next.
5. Type your name and organization, then click Next.
6. Select the components to install, then click Next.
7. Accept the default C:\Program Files\Centrify location for installing components, or click Browse to select a
different location, then clickNext.
8. Click Next to disable publisher verification.
9. Review the components you have selected, then click Next to begin installing components.
10. Deselect the Configure and start Zone Provisioning Agent option, then click Finish.
Because you are going to configure the service account for the Zone Provisioning Agent in a later exercise, click
Yes to dismiss the warning about the Zone Provisioning Agent running as the local system account.
11. Click Exit to close the Getting Started page.

Delinea Server Suite Unix and Linux Evaluation Guide Page 9 of 40

 Configuring the Basic Evaluation Environment

Starting Access Manager for the First Time

After installing Access Manager and other components, you should have the new Access Manager icons on your
desktop.
You are now ready to start using Access Manager. The first time you open Access Manager it creates Active
Directory containers to store Delinea licenses and zone information.
To start Access Manager for the first time

1. Open Access Manager by double-clicking the icon on the desktop.

2. Verify the name of the domain controller, then click OK.
The default is the domain controller to which the Windows computer is joined. If you want to connect to a
different forest, type the name of adomain controller in that forest. If you want to connect to the forest
withdifferent credentials, select Connect as another user, then type a user name and password to connect as.
3. In the Setup Wizard Welcome page, click Next.
4. Verify that Use currently connected user credentials is selected to use your current logon account, then click
Next.
You must be logged on with an account that has Active Directory administrator rights in the target organizational
unit.
If your logon account does not have those rights, select Specify alternate user credentials and enter a different
user name and password.
5. Select Generate Delinea recommended deployment structure and Generate default deployment structure,
then click Next.
6. Select a location for installing license keys in Active Directory, then click Next.
The Setup Wizard displays information about the Read permissions that must be granted on the container. Click
Yes to continue.
7. Type or copy and paste the license key you received, click Add, then click Next.
If you received the license key in a text file, you can click Import to import the key directly from the file, then click
Next.
8. Click Next to use the default container for the Delinea zones.
9. Accept the default permission delegation and click Next.
10. Review the summary of your selections, then click Next.
11. Click Finish.
After you click Finish, Access Manager displays.

Creating the First Zone

The next step in configuring your evaluation for access control and privilege management is to create a Delinea
zone. Zones enable you to define and control access privileges for users and groups in your organization. By using
zones, you can limit who has access to different computers and where users have permission to exercise elevated
privileges.

Delinea Server Suite Unix and Linux Evaluation Guide Page 10 of 40

Configuring the Basic Evaluation Environment

To create a parent zone

1. Open Access Manager.

2. Click Create Zone.

3. Type a name and description for the zone, for example Headquarters, then click Next.
4. Leave Use default zone type selected, and click Next.
5. Verify information about the zone you are creating, then click Finish.

You now have one parent zone. You can have multiple parent zones or a single parent zone, depending on your
needs. If you expand the Zones node, the left pane displays your new zone.

Access Manager automatically creates the Computers, UNIX Data and Authorization nodes for each zone you
create. These nodes enable you specify precise access privileges for computer and application administrators in
each zone.
A parent zone can have one or more child zones. Child zones inherit information from the parent zone. For
example, you can define access rights, roles, and role assignments in a parent zone and use them or change them
in a child zone. You will work with child zones in a later exercise.
Now that you have Access Manager installed and have configured your first zone, you are ready to install the
Server Suite Agent on a UNIX or Linux computer.

Delinea Server Suite Unix and Linux Evaluation Guide Page 11 of 40

Configuring the Basic Evaluation Environment

Installing the Server Suite Agent for *NIX

The Centrify Agent must be installed on each UNIX or Linux computer you want to manage. After you have
downloaded platform-specific agents for the operating systems you want to evaluate, you should make sure the
software is on the physical or virtual UNIX or Linux computer you are using for the evaluation.
To install the agent package

1. Log on to the UNIX or Linux computer with root privileges.

2. Copy the Centrify Agent for *NIX package for the local operating system to the computer and change to that
directory.
3. Extract the contents of the package.
For example, if you have a Red Hat Enterprise Linux based computer, you might enter the following:
gunzip centrify-server-suite-<release>-rhel5-x86_64.tgz
4. Expand the archive file.
For example, if you have a Red Hat Enterprise Linux based computer, you might enter the following:
tar -xvf centrify-server-suites-<release>-rhel5-x86_64.tar
5. Run the install.sh script.
For example, if you are running Red Hat Enterprise Linux you would enter the following:
/bin/sh install.sh
6. Follow the prompts displayed to check whether the local computer is ready for the installation.
If there are errors, you must fix them before installing the software. Warning messages are informational, but do
not prevent you from installing the software.
7. Follow the prompts displayed using the following instructions:

Prompt Action

Do you want to run adcheck to verify your AD environment? Enter N to skip post-installation
checks.

Join an Active Directory Domain? Enter N to join later.

Enable auditing on this computer (audit and monitoring service NSS Enter Y to enable auditing.
mode)?

Do you want to continue (Y) or re-enter information? Enter Y to install the default packages.

Enable Linux Desktop auditing on this computer? Enter Y to enable Linux desktop
auditing.

If you have more than one Linux or UNIX computers included in the evaluation, repeat Step 1 through Step 7 on
each computer.

Delinea Server Suite Unix and Linux Evaluation Guide Page 12 of 40

Configuring the Basic Evaluation Environment

8. Verify the installation by running the adinfo command at the UNIX command prompt.
adinfo
This command-line program displays information about the Linux or UNIX computer’s status in Active Directory.
At this point, the output should show you that you are not joined, but Licensed Features are enabled.

Joining the Domain

You are now ready to use the adjoin command-line program to join the Linux or UNIX computer to the Active
Directory domain you are using for evaluation.
The most basic syntax for the adjoin command is:
adjoin domain -z zone -u username
For more information about adjoin syntax and options, see the man page for the adjoin command.
To join an Active Directory domain from a Linux or UNIX computer

1. Log on to the UNIX or Linux computer with root privileges.

2. Run the adjoin command, specifying the domain, zone, and the account name for an Active Directory
administrator with permission to join the domain.
3. Enter the password for the Active Directory account used to join the domain.
4. Verify the UNIX or Linux computer is joined to Active Directory by running the adinfo command.
adinfo
The output should look similar to the following:
Local host name: my-eval
Joined to domain: test.acme.com
Joined as: my-eval.test.acme.com
Pre-win2K name: my-eval
Current DC: dc-mine.test.acme.com
Preferred site: CA
Zone: test.acme.com/acme/zones/HQ
Last password set: 2020-08-14 11:24:32 PDT
CentrifyDC mode: connected
Licensed Features: Enabled
5. Restart the Linux or UNIX computer.
Restarting the computer is not required, but is recommended to ensure that all services are restarted.

Verifying your Progress in Access Manager

You now have a Server Suite-managed computer. To see the computer in Access Manager, expand Zones >
Headquarters > Computers. The Linux or UNIX computer is listed under the Computers node. The computer has
successfully joined an Active Directory domain and is prepared for access control and privilege management.
However, no Active Directory users can log on to the computer yet.

Delinea Server Suite Unix and Linux Evaluation Guide Page 13 of 40

Configuring the Basic Evaluation Environment

Adding and Provisioning an Evaluation User and Group

Before any Active Directory users can log on to the Server Suite-managed computer, you must provision an Active
Directory account with UNIX profile attributes and assign the user a role that has login privileges. To demonstrate
the process in the evaluation, you will create a new Active Directory user, provision the user with a UNIX profile, and
assign the user basic access privileges.
To create a new Active Directory user with access to the Server Suite-managed computer

1. Open Active Directory Users and Computers and create a new User object.
a. Fill in the First, Last, and the User logon name fields.
b. Type and confirm a password and select the Password never expires option.
c. Acknowledge the warning, click Next, then click Finish.
2. Create a new Active Directory group in the UNIX Groups organizational unit you created under the Delinea
organizational unit.
a. For the Group name enter Login Users.
b. Select Global as the scope for the group and Security for the type of group, then click OK.
3. Add the evaluation user to the Login Users group.
a. Select the user you created in Step 1, right-click and select Add to a group.
b. Select the Login Users group, then click OK.
4. Provision a UNIX profile for the new user using Access Manager.
a. Expand the Zones node and select the Headquarters, right-click, then select Add User.
b. Select the user you created for the evaluation.
c. Select Define user UNIX profile only and deselect Assign roles.
d. Accept the default values for all profile properties.
e. Review your selections, click Next, then click Finish.
5. Assign the default UNIX Login role to the Login Users group using Access Manager.
a. Expand the Authorization node under the Headquarters zone.
b. Select Role Assignments, right-click, then select Assign Role.
c. Select the UNIX Login role and click OK.
d. Click Add AD account.
e. Change the object to Find from User to Group, then search for and select the Login Users group, then click
OK.
f. Click OK to complete the role assignment.

Verify Access by Logging On

The Active Directory user can now log on to the UNIX or Linux computers that has joined the domain and the parent
zone.

Delinea Server Suite Unix and Linux Evaluation Guide Page 14 of 40

Configuring the Basic Evaluation Environment

To verify the user can log on using Active Directory credentials

1. Open a terminal on your joined Linux or UNIX computer and switch to the root account.
2. Run adflush to clear the Server Suite Agent for *NIX’s cache.
This step simply ensures that the agent will make a new connection to Active Directory to get the latest user and
group information.
3. Log off as root.
4. Log in using the Active Directory credentials for the evaluation user you created and added to the Login User
group.

Creating a UNIX Administrator Role

Now that you have verified an Active Directory user can access the Linux or UNIX computer you are using for the
evaluation, you will see to how to create users that have elevated privileges and how you can limit the use of those
privileges to specific computers.
To illustrate this scenario, you will create a UNIX administrator role that grants root privileges for the computers in a
zone without requiring users to know the root password. Instead, users who are assigned the UNIX administrator
role use their Active Directory credentials.
You can use the same steps to define roles with different and more granular rights. For example, you will follow
similar steps to create an Apache administrator role that can only perform a limited set of tasks on computers in a
child zone.
At the end of this section, you will have two accounts with UNIX Login privileges: one of which has only standard
user privileges, the other account has full administrative privileges.
To create a new Active Directory user and group with administrative access

1. Open Active Directory Users and Computers and create a new User object.
a. Fill in the First, Last, and the User logon name fields.
b. Type and confirm a password and select the Password never expires option.
c. Acknowledge the warning, click Next, then click Finish.
2. Open Active Directory Users and Computers and create a new Group object in the UNIX Groups organizational
unit.
a. For the Group name, enter EnterpriseUnixAdmins.
b. Select Global as the scope for the group and Security for the type of group, then click OK.
3. Add the administrative user to the EnterpriseUnixAdmins group.
a. Select the user you created in Step 1, right-click and select Add to a group.
b. Select the EnterpriseUnixAdmins group, then click OK.
4. Provision a UNIX profile for the new user using Access Manager.
a. Expand the Zones node and select the Headquarters, right-click, then select Add User.
b. Select the user you created for UNIX administration.

Delinea Server Suite Unix and Linux Evaluation Guide Page 15 of 40

Configuring the Basic Evaluation Environment

c. Select Define user UNIX profile only and deselect Assign roles.
d. Accept the default values for all profile properties.
e. Review your selections, click Next, then click Finish.

Defining a Command Right and a New Role

You are now ready to define a new privileged command right that uses the asterisk (*) wild card to give the user the
equivalent of all commands, all paths, and all hosts in the sudoers file. In a production deployment, you would
define more specific sets of privileged commands and run them using accounts with no restricted access than the
root user.
To create new UNIX right definition for the administrative role

1. Create a new privileged command using Access Manager.

a. Expand the Authorization node under the Headquarters zone, then expand UNIX Right Definitions and
select Commands.
b. Right-click then select New Command. For this example, you will only set information on the General tab.
c. Type a command name and description, for example root_any_command and All commands, all paths, all
hosts.
d. Type an asterisk (*) in the Command field to match all commands.
e. Leave the default setting for Glob expressions.
f. Select the Specific path options and type an asterisk (*) to match all command paths, then click OK.

You now have a root_any_command that grants privileges to run any command in your role definitions. In the next
steps, you create a role that will give members of the EnterpriseUnixAdmins group the root_any_command
privileges.
To create and assign the UNIX administrators role

1. Create a new role definition using Access Manager.

a. Expand the Authorization node under the Headquarters zone, select Role Definitions, right-click, then select
Add Role.
b. Type a role name (UnixAdminRights) and a description (Set of rights for UNIX administrators) for the new
role.
c. Click the System Rights tab and select all of the UNIX rights and the Rescue right.
d. Click the Audit tab and select Audit if possible, then click OK.
2. Add the root_any_command and several default rights to the new role.
a. Select the UnixAdminRights role, right-click, then select Add Right.
b. Use CTRL-click to select rights, including login-all, secure shell (ssh, sshd, and dzsshall) rights, and the
root_any_command right you just created, then click OK.
3. Assign the UnixAdminRights role to the enterprise UNIX administrators group using Access Manager.

Delinea Server Suite Unix and Linux Evaluation Guide Page 16 of 40

Configuring the Basic Evaluation Environment

a. Expand the Authorization node under the Headquarters zone, select Role Assignments, right-click, then
select Assign Role.
b. Select the UnixAdminRights role and click OK.
c. Click Add AD Account.
d. Change the object to Find from User to Group, then search for and select the EnterpriseUnixAdmins group,
then click OK.
e. Click OK to complete the role assignment.

Verifying Administrative Privileges

You now have two role assignments—Login Users and EnterpriseUnixAdmins—in the zone. Any Active Directory
user you add to the Login Users group and provision a UNIX profile for will have access rights but no administrative
privileges on the computers in the zone. Any Active Directory users you add to the EnterpriseUnixAdmins group
and provision a UNIX profile for will be able to run any command with root-level permissions using their Active
Directory credentials.
The Active Directory user you added to the EnterpriseUnixAdmins group can now log on and run privileged
commands on the UNIX or Linux computers you are using for evaluation.
To verify the user can run privileged commands using Active Directory credentials

1. Log on to the Linux or UNIX computer using the Active Directory logon name and password you created for the
UNIX administrator.
2. Open a terminal on the Linux or UNIX computer.
3. Run a command that requires root-level privileges.
For examples, run the dzinfo command to view the rights and roles for the UNIX Login user you createdAdding
and provisioning an evaluation user and group.
dzinfo user_name
Because you are logged on as the Active Directory user and not invoking the command using your role
assignment, the command displays an error messageindicating that you are not allowed to view authorization
information for another user.
4. Re-run the command using your role assignment by typing dzdo before the command.
dzdo dzinfo user_name
The command runs successfully and returns information about the evaluation user similar to this partial output.
User: lois.lane
Forced into restricted environment: No
Role Name Avail Restricted Env
--------------- ----- --------------
UNIXLogin/Headquarters Yes None
Effective rights:
Password login
Non password login
Allow normal shell

Delinea Server Suite Unix and Linux Evaluation Guide Page 17 of 40

Configuring the Basic Evaluation Environment

Audit level:
AuditIfPossible

Viewing Effective Rights

Often, you need to see which users have what privileges in a zone. Access Manager provides you a single view of
all of the effective users in a zone and lets you tab through their account properties.
To view effective rights for Linux and UNIX users

1. Open Access Manager.

2. Expand Zones, right-click your parent zone name, then select Show Effective UNIX User Rights.
For example, the following illustrates the effective users in the evaluation zone.

3. Select a user, then click the tabs to see details about that user’s profile, role assignments and UNIX rights.

Creating Child Zones and a Service Administrator Role

In many cases, you don’t want a service administrator to have root privileges. For example, there’s no reason to
give database or web service administrators root-level privileges if their role only requires limited access to a few
privileged operations.
To illustrate how to grant more limited privileges to an administrator, you will now create a role that gives an Apache
server administrator permission a few specific tasks, such as edit the Apache configuration file and start and stop
the Apache service. In this scenario, you will also create child zones to further limit the Apache administrator’s
authority to just the computers in the child zones.
To create child zones

1. Open Access Manager.

2. Expand Zones, right-click your parent zone name, then select Create Child Zone.

Delinea Server Suite Unix and Linux Evaluation Guide Page 18 of 40

Configuring the Basic Evaluation Environment

3. Type a Zone name (Nevada) and a brief description (Western field office), then click Next.
4. Click Finish.
5. Repeat Step 1 through Step 4 giving the second child zone a different name (Delaware) and description
(Eastern web farm office).
6. Expand Child Zones and each new zone you created to view the nodes of the child zones.

To create a new Active Directory user and group for Apache administrators

1. Open Active Directory Users and Computers and create a new User object.
a. Fill in the First, Last, and the User logon name fields.
b. Type and confirm a password and select the Password never expires option.
c. Acknowledge the warning, click Next, then click Finish.
2. Open Active Directory Users and Computers and create a new Group object in the UNIX Groups organizational
unit.
a. For the Group name, enter ApacheAdmins.
b. Select Global as the scope for the group and Security for the type of group, then click OK.
3. Add the web administrator to the ApacheAdmins group.
a. Select the user you created in Step 1, right-click and select Add to a group.
b. Select the ApacheAdmins group, then click OK.
4. Provision a UNIX profile for the new user using Access Manager.
a. Expand the Zones node and select the Headquarters, right-click, then select Add User.
b. Select the user you created for web administration.
c. Select Define user UNIX profile only and deselect Assign roles.
d. Accept the default values for all profile properties.
e. Review your selections, click Next, then click Finish.

Defining Command Rights and a New Role for Apache Administrators

You are now ready to create the privileged commands and role definition for the Apache administrators much as
you did for the UNIX administrators. However, in this scenario, you will add the following new commands:

Command name Command Purpose

web_edit_http_config vi /etc/httpd/conf Edit the httpd daemon configuration file

web_apachectl apachectl *: Front end command for managing the httpd daemon

web_httpasswd htpasswd * Create and update HTTP server user name and password file

Delinea Server Suite Unix and Linux Evaluation Guide Page 19 of 40

Configuring the Basic Evaluation Environment

These commands will be added to a new role definition, ApacheAdminRights. As an alternative to creating the
commands and role manually using Access Manager, as you did in the previous section, the following steps
illustrate how you can use an ADEdit script.
ADEdit is a command-line scripting environment included with the Delinea Agent for *NIX. You can use ADEdit
commands and scripts to modify Active Directory objects interactively directly from a UNIX or Linux computer
terminal. The sample script ApacheAdminRole illustrates how you can use an ADEdit script to create UNIX rights
and an Apache administrator role. This sample script is located in the /usr/share/centrifydc/samples/adedit directory
on the UNIX or Linux computer where you have installed the Delinea Agent.
To create the ApacheAdmin commands and the ApacheAdminRights role

1. Log on to the Linux or UNIX computer using the Active Directory logon name and password you created for the
UNIX administrator.
2. Open a terminal on the Linux or UNIX computer.
3. Change the directory to /usr/share/centrifydc/samples/adedit.
4. Run the ApacheAdminRole script.
./ApacheAdminRole
If you see the error /bin/env: bad interpreter: No such file or directory, try changing the first line in the script to
#!/usr/bin/env adedit.
5. Follow the prompts displayed to provide the following information for connecting to Active Directory:
n Domain name.
n The Active Directory account name that has administrator privileges in the organizational unit you’re using
for the Delinea zones.
n The password for the Active Directory account.
6. Select the zone from the list of zones in your domain.
For example, enter 2 to create the commands and role in the Nevada child zone or 3 to create the commands
and role in the Delaware zone. The script then creates the commands and the role in the selected zone.

Verifying the Success of the Script

You can verify the new command rights and role in Access Manager.
To verify the script created command rights new role

1. Open Access Manager.

2. Expand the Nevada or Delaware child zone, then expand Role Definitions.
3. Select the ApacheAdminRights role to view the new command rights in the right pane.
The new rights are also listed in the under the child zone UNIX Right Definitions > Commands node. If the new
role is not listed, right-click, then select Refresh.

Adding Rights to the New Role Definition

The ApacheAdminRole script created the new UNIX command rights for Apache-related tasks. However, the
Apache administrators require a few more rights to do their job. For example, the ApacheAdminRights role created

Delinea Server Suite Unix and Linux Evaluation Guide Page 20 of 40

Configuring the Basic Evaluation Environment

using the sample script does not include the UNIX Login right for any computers.
To add more rights to the ApacheAdminRights role

1. Open Access Manager.

2. Expand the Nevada or Delaware child zone, then expand Role Definitions.
3. Select the ApacheAdminRights role, right-click, then select Add Right.
4. Select the Nevada or Delaware child zone from the list of zone to restrict the list of rights to the rights available in
the child zone.
5. Select the following default rights:
n login-all to allow Apache administrators to log on.
n ssh to allow Apache administrators to use the PAM secure shell client application.
n sshd to allow Apache administrators to use the secure shell server application.
n dzssh-scp to allow Apache administrators to use the secure copy application.
n dzssh-sftp to allow Apache administrators to use the secure file transfer application.
6. Click OK.

Assigning the Apache Administrator Role to a Group

You can now assign the ApacheAdminRights role to the Active Directory ApacheAdmins group. The members of
this group will only have the Apache access rights on the computers in the Nevada or Delaware child zone you
selected. Outside of the selected zone, members will have no access rights on any UNIX computers.
To assign the ApacheAdminRights role to the Apache administrators

1. Open Access Manager.

2. Expand the Nevada or Delaware child zone and its Authorization node.
3. Select Role Assignments, right-click, then select Assign Role.
4. Select the ApacheAdminRights role, then click OK.
5. Click Add AD Account.
a. Change the object to Find from User to Group, then search for and select the ApacheAdmins group, then
click OK.
b. Click OK to complete the role assignment.

Deploying Group Policies to UNIX Computers

Centrify provides group policy templates for managing UNIX and Linux computers. The group policies are centrally
managed through the Group Policy Management Editor, but modify configuration settings on the managed
computers where they are applied. This mechanism allows you to manage the group policy settings from a single
location and have them applied on remote UNIX and Linux computers.
To illustrate how to configure and apply group policies, you will create a Group Policy Object for the Centrify
organizational unit.
To load and apply group policies for UNIX and Linux computers

Delinea Server Suite Unix and Linux Evaluation Guide Page 21 of 40

Configuring the Basic Evaluation Environment

1. Open the Group Policy Management utility (gpmc.msc) and expand your evaluation domain.
2. Right-click the Delinea organizational unit, and select Create a GPO in this domain, and Link it here.
3. Type a name for the new GPO (UNIX policies), then click OK.
4. Expand the Delinea organizational unit, right-click the GPO, then select Edit.
5. Expand the Computer Configuration > Policies node and select Delinea Settings.
6. Right-click and select Add/Remove Templates
7. Click Add and select all of the templates listed, click Open, then click OK.
This step adds both computer and user group policies under the Delinea Settings node. Expand Delinea
Settings to explore the specific policiesavailable. You can click the Explain tab for any group policy to see
moreinformation about what it does. The remainder of this section illustrateshow you would enable and
configure a few simple policies forDelinea-managed. You should note that all policies—including Delinea group
policies—are “Not configured” by default.

Configuring User Mapping by Group Policy

To illustrate how to configure a Delinea group policy, you will enable the Set user mapping policy. This policy maps
a UNIX user, for example root, to an Active Directory user account, for example Amy.Adams. After this policy is set,
root attempts to log on must use the mapped Active Directory user’s credentials.
To configure a Delinea group policy

1. Expand Delinea Settings > DirectControl Settings, scroll down and double-click the Set user mapping policy.
2. Select Enabled, then click Add.
3. Type the UNIX user account name (root).
4. Click Browse to search for and select the Active Directory account to use, then click OK.
5. Click OK to enable the policy.

If you enable this policy, the root user in the zone will not be able to log in to the managed computers in
the zone.

Configuring Password Prompts

There are several group policies that enable you to customize the text displayed when a user attempts to log on to a
managed computer. For example, you can customize the text displayed when a password is expiring in a certain
number of days or when authentication fails. To illustrate how to configure the Delinea group policies for password-
related prompts, you will enable the Set login password prompt policy.

1. Expand Delinea Settings > DirectControl Settings > Password Prompts and double-click Set login password
prompt.
2. Select Enabled.
3. Type the text string you want displayed, then click OK.

Delinea Server Suite Unix and Linux Evaluation Guide Page 22 of 40

Exploring Additional Management Tools

Next Steps
You now have a basic foundation for working with Server Suite software. You have created a parent zone and child
zones, provisioned users to log on to computers in those zones, defined rights and roles in different zones, and
granted Active Directory users and groups specific rights by assigning them to roles. You’ve also seen how to apply
and configure group policies for Centrify-managed computers. From here, you can experiment on your own or
explore some of the additional tools that Server Suite provides.

Exploring Additional Management Tools

In configuring a basic evaluation environment, you saw how you can use Active Directory to centrally manage user
accounts, access privileges, and group policies on Linux and UNIX computers through Server Suite zones. This
chapter introduces some of the additional Server Suite tools that you can use to manage the UNIX users and
computers in your organization.
n Adding UNIX Profiles Automatically
n Managing UNIX Information from a UNIX Terminal
n Next Steps

Adding UNIX Profiles Automatically

Adding UNIX user accounts to Active Directory on a large scale poses several challenges:
n Provisioning: How do you provision large numbers of UNIX users and map them to unique Active Directory user
objects?
n Assigning roles: Once the UNIX users have profiles stored in Active Directory, how do you give each user just
the privileges required?
n Accommodating legacy UIDs: How do you migrate UNIX users who have different UIDs on different servers and
maintain existing file ownership requirements?

One strategy for adding and managing a large number of UNIX profiles is to use the Zone Provisioning Agent and
provisioning properties. The Zone Provisioning Agent can automatically provision new users with the full
complement of UNIX profile attributes when you add them to an Active Directory group. Configuring the
environment to illustrate automated provisioning with the Zone Provisioning Agent, however, requires several steps
that are only applicable if you choose that deployment scenario.
The following steps summarize the process, but are not recommended for an evaluation.
To deploy the Zone Provisioning Agent

1. Create an Active Directory service account with the “Log on as a service” user right.
2. Open the Centrify Zone Provisioning Agent Configuration Panel and configure the service to use the service
account you created for it.
3. Create or identify the Active Directory groups you will use as source groups for UNIX users.
4. Set the provisioning properties for the zone or zones where users will be automatically provisioned.

Delinea Server Suite Unix and Linux Evaluation Guide Page 23 of 40

Exploring Additional Management Tools

For example, open Access Manager, select the parent zone, right-click, then select Properties to see the
Provisioning properties. You can then set theActive Directory source group and how you want UNIX attributes to
be automatically generated.
5. Migrate all existing users using the appropriate override attributes into zones to preserve their profiles.
6. Start the Zone Provisioning Agent service.

Keep in mind that the Zone Provisioning Agent takes over all user provisioning if enabled for a zone. After you start
the service, you cannot use the Access Manager Add User option to add a user to the zone. This ensures that all
UIDs are unique in the domain.
If you configure the Zone Provisioning Agent, you can add and remove users from selected Active Directory groups
to automatically add or remove their UNIX profiles in a zone.
To add users after configuring zone provisioning

1. Open the users.txt file in the /usr/share/centrifydc/samples/adedit directory to add more or change names.
Use an editor that does not insert a carriage return at the end of each line. Each line must end with a line feed.
2. Run the AddUnixUsers sample script in the directory to create the Active Directory account for each UNIX user
and add each user to the Active Directory UNIX Users group.
./AddUnixUsers users.txt.
3. Follow the prompts displayed to provide the following information for connecting to Active Directory:
n Domain name.
n The Active Directory account name that has administrator privileges in the organizational unit you’re using
for the Delinea zones.
n The password for the Active Directory account.
4. Type an initial password that meets the Active Directory requirements to be used for all of the accounts added.
5. Open the Delinea Zone Provisioning Agent Configuration Panel and click Restart.
6. Open Access Manager or Active Directory Users and Computers and assign users to the appropriate Active
Directory groups to assign rights.

Managing UNIX Information from a UNIX Terminal

Many organizations find it least disruptive for their UNIX administrators to continue to manage their UNIX and Linux
computers directly from their own computer rather than from a Windows computer. If you plan to manage zones,
UNIX user and group accounts, access privileges, roles, and role assignments from a UNIX or Linux computer, you
can use the command-line tools described in this section.

Using UNIX Commands

This following table summarizes the most commonly used Centrify command line programs.

Command Location Description

Delinea Server Suite Unix and Linux Evaluation Guide Page 24 of 40

Exploring Additional Management Tools

adcheck /usr/share/centrifydc/bin Performs operating system, network, and Active Directory tests to
verify a computer meets the system requirements for a successful
installation. For example, the install.sh script runs the adcheck
program.

adedit /usr/bin Starts the adedit application for interactive commands or running
scripts For more information about the adedit application, see
Using ADEdit.

adflush /usr/sbin Clears the computer’s agent cache. Use this after you have made
changes to Active Directory accounts to remove and replace the
previous values.

adgpupdate /usr/bin Retrieves group policies from the Active Directory domain
controller and applies the policy settings to the local computer and
current user immediately. If you do not use the command, group
policies are automatically updated at a random interval between
90 and 120 minutes.

adinfo /usr/bin Displays summary or detailed diagnostic information for the

managed computer.

adjoin /usr/sbin Joins the local computer to an Active Directory domain,

organizational unit and zone.

adleave /usr/sbin Removes the local computer from the Active Directory domain.

adpasswd /usr/bin Changes the Active Directory account password for the current
user or a specified user.

adquery /usr/bin Queries Active Directory for information about users and groups.

dzinfo /usr/bin Displays information about the effective rights and roles for the
current login account.

dzdo /usr/bin Enables you to run privileged commands as root or another user.

Some UNIX commands require you to be logged on as root or as a user with root privileges. Other commands allow
different operations or return different results if you are logged on as root. For the complete list of Server Suite
command line programs you can run on Linux and UNIX computers, see the Administrator’s Guide for Linux and
UNIX. For detailed information about the options available for any command, see the man page for that command.

Using ADEdit
The Server Suite Agent for *NIX also includes the Tcl-based ADEdit program. ADEdit has two basic components:
n the adedit command-line application
n the ade_lib Tcl library

Delinea Server Suite Unix and Linux Evaluation Guide Page 25 of 40

Exploring Additional Management Tools

ADEdit provides a scripting language that you can use to bind to one or more Active Directory domain controllers.
You can then use ADEdit to retrieve, modify, create, and delete Active Directory objects of any kind, including
Server Suite specific objects such as zones, rights, and roles. For example, you used ADEdit and a sample script to
create rights and a role in Defining command rights and a new role for Apache administrators.
The following sections introduce a few of the key features for ADEdit. For more information about using ADEdit
commands and the ade_lib library, see the ADEdit Command Reference and Scripting Guide.

ADEdit Application

ADEdit uses Tcl as its scripting language. The Tcl scripting language includes all standard programming features,
such as variables, logical operators, and predefined functions (called “procedures” in Tcl). The ADEdit application
also includes a Tcl interpreter and Tcl core commands, which allow it to execute standard Tcl scripts, and a
comprehensive set of its own commands designed to manage Server Suite-specific objects in Active Directory.
You can use ADEdit to execute individual commands interactively or to execute sets of commands together in the
form of an ADEdit script.

ade_lib Tcl Library

The ade_lib Tcl library is a collection of Tcl procedures that provide helper functions for common Centrify-specific
management tasks such as listing zone information for a domain or creating an Active Directory user. You can
include ade_lib in other ADEdit scripts to use its commands.

Using adedit Sample Scripts

The Server Suite Agent for *NIX includes several sample adedit scripts that you can run in your evaluation
environment. The scripts are in the /usr/share/centrifydc/samples/adedit directory on the UNIX or Linux computer
where you have the agent installed.
To run scripts that have the .sh extension, enter /bin/sh filename.sh.
To run scripts that do not have an extension, you can just enter ./filename.

If you get the error /bin/env: bad interpreter: No such file or directory when you run a script, this means
that the env command is not in the /bin directory. In most cases, it is in /usr/bin instead. To fix this,
change the first line in the script to:

#!/usr/bin/env adedit
The following table lists the sample scripts and the arguments.

Script name Required Optional arguments

arguments

AddUnixUsers users.txt none

ApacheAdminRole none none

Delinea Server Suite Unix and Linux Evaluation Guide Page 26 of 40

Exploring Additional Management Tools

computers-report -domain domain_ -m -p password Use -m if you want to authenticate using the
name -u AD_user_ computer account credentials instead of an Active Directory user
name -sep account. If using an Active Directory user account, use -p if you
separator want to include the user's password in the command line. If you
don’t specify this option, you are prompted for the password.

CreateChildZones -d domain_name -z -p password Use -p if you want to include the user's password in
parent_zone_ the command line. If you don’t specify this option, you are
name -u AD_user_ prompted for the password.
name

CreateParentZone -d domain_name -z none

zone_name

GetChildZones none none

GetComputers none none

GetGroups none none

getopt-example -d domain_name - -p password Use -p if you want to include the user's password in
u AD_user_name the command line. If you don’t specify this option, you are
prompted for the password.

Getusers none none

GetZones none none

MakeRole Role_ none

apacheAdmin.txt

MktDept.sh List of names, for none

example, Mary,
Joe, and Lance

useracc-report -domain domain_ -m -p password Use -m if you want to authenticate using the
name -u AD_user_ computer account credentials instead of an Active Directory user
name -sep account. If using an Active Directory user account, use -p if you
separator want to include the user's password in the command line. If you
don’t specify this option, you are prompted for the password.

user-report -z zone_ -m -p password Use -m if you want to authenticate using the

distinguished_ computer account credentials instead of an Active Directory user
name account. If using an Active Directory user account, use -p if you
want to include the user's password in the command line. If you
don’t specify this option, you are prompted for the password.

Delinea Server Suite Unix and Linux Evaluation Guide Page 27 of 40

Next Steps

For more information about the sample scripts and how they can be used or modified, see the ADEdit Command
Reference and Scripting Guide.

Next Steps
You have now explored some of the additional tools available for working with Server Suite-managed computers,
including the basic features of ADEdit sample scripts and default reports. You are now ready to see how you can
use the audit and monitoring service to capture, replay, and manage user sessions on managed Linux and UNIX
computers.

Auditing Sessions
This chapter describes how to install and use the Delinea Administration and Services components. The auditing
service is a process on each managed UNIX and Linux computer that captures user session input and output and
transfers this information to a collector service. The collector service forwards the audited sessions to a database,
where it is available for review and replay.
n Install Auditing Components on Windows
n Configure a New Audit Installation
n Enabling Linux Desktop Auditing
n Check that Auditing is Enabled
n Viewing Sessions with Predefined Queries
n Replaying a Session
n Managing Audited Sessions
n Creating Custom Queries

Install Auditing Components on Windows

For the evaluation, you are going to install the auditing infrastructure on a single Windows computer. To complete
these steps, you will install a Microsoft SQL Server database for the evaluation environment, a single collector, and
the Audit Manager and Audit Analyzer consoles from the Audit & Monitoring Service setup program. You have
already installed the auditing service on the Linux or UNIX computer you are using for the evaluation.
To install auditing components on the Windows computer

1. On the physical or virtual computer where you downloaded Server Suite software, double-click autorun.
2. On the Getting Started page, click Audit & Monitor.
3. At the Welcome page, click Next.
4. Review the terms of the license agreement, click I accept the terms in the license agreement, then click Next.
5. Select both Centrify Administration and Centrify Services to install all components, then click Next.

Delinea Server Suite Unix and Linux Evaluation Guide Page 28 of 40

Auditing Sessions

6. Accept the default location for installing files by clicking Next, then click Next to proceed with the installation.
7. Confirm that the Launch Configuration Wizard box is selected by default, then click Finish.
8. Click Exit to close the Getting Started page.

Configure a New Audit Installation

An audit installation is a logical object similar to an Active Directory forest or site. It encompasses all of the auditing
components you deploy—agents, collectors, audit stores, audit store databases, management database, and
consoles—regardless of how they are distributed on your network. The installation also defines the scope of audit
data available. All queries and reports are against the audit data contained within the logical boundary of the
installation.
To create a new installation for auditing in the evaluation environment

1. If you have launched the new installation wizard automatically, at the Welcome page, click Next.
You can also use Audit Manager to launch the new installation wizard.
2. In the New Installation wizard, accept the default audit installation name by clicking Next.
For the evaluation, use the default installation name to automatically collect the sessions cached on the
managed computers. If you use a different name, you must manually specify the installation an audited
computer should use.
3. Select the option to create a new management database and verify the SQL Server computer name, instance
name, and database name are correct, then click Next.
4. Select Use the default NT AUTHORITY\SYSTEM account to run the stored procedures that read and write
information to the management database, then click Next.
5. Type the license key you received, then click Add or click Import to import the keys directly from a file, then click
Next.
6. Accept the default location for publishing installation information, then click Next.
7. Select the installation-wide auditing options you want to enable, then click Next.
For the evaluation, select Enable video capture recording of user activity to capture shell activity on the
audited computer, then click Next. Do not select the options that disallow the review and deletion of your own
sessions.
8. Review details about the installation and management database, then click Next.
If you have SQL Server system administrator (sa) privileges and can connect to the SQL Server instance, the
wizard automatically creates the management database.
9. Select the Launch Add Audit Store Wizard option if you want to start the Add Audit Store wizard, then click
Finish.

Enabling Linux Desktop Auditing

In addition to shell auditing, for some Linux systems you can also enable desktop auditing. When desktop auditing
is enabled, the user's entire screen is continuously monitored to record all graphical interactions. More specifically,
desktop auditing captures the following:

Delinea Server Suite Unix and Linux Evaluation Guide Page 29 of 40

Auditing Sessions

n The application name and window title when the user switches the focus to that application. For example, if a
user opens a web browser or a terminal window.
n Changes to the application window title that currently has focus. For example, if a user opens a web browser
and goes to a new web page, desktop auditing records the title of a web page.

The supported platforms for Linux desktop auditing are as follows:

n RHEL 6, 7, and 8 with GNOME v3
n CentOS 6, 7, and 8 with GNOME v3

Linux sessions must be running X as the primary display manager (not Wayland).
Linux desktop auditing requires shell session auditing.
To enable desktop auditing on a Linux computer

1. Log on as a user with root privileges.

2. Run dacontrol with the -x option or the --desktop-audit option:
dacontrol -x
dacontrol --desktop-audit
To enable both shell and desktop auditing at the same time, use both the -e and -x options:
dacontrol -e -x
3. Run dainfo to verify that desktop auditing has been enabled.
For example, the relevant information from the dainfo command looks like this:
Pinging adclient: adclient is available
Daemon status: Online
Current installation: 'DirectAudit' (configured locally)
Current collector: test.acme.com:5063:HOST/[email protected]
DirectAudit NSS module: Active
...
DirectAudit desktop auditing: Enabled
User (root) audited status: Yes

When you enable auditing, the desktop auditing module shows as Enabled. You can also see if auditing is enabled
or not for a system in the Audit Manager console.

Verify that Auditing is Enabled

After the auditing infrastructure is installed and configured, you are ready to audit activity on the managed
computers where the Server Suite Agent is installed.
To check that auditing is enabled on the managed computer

1. Log on to the managed computer as root.

2. Run the following command verify auditing is enabled:
dacontrol -e
This command will enable auditing or display a message indicated that auditing is already enabled.

Delinea Server Suite Unix and Linux Evaluation Guide Page 30 of 40

Auditing Sessions

Within a few minutes the collector service should start to retrieve session activity for the managed computer. For
more information about configuring and managing the auditing infrastructure, see the Auditing Administrator’s
Guide.

Viewing Sessions with Predefined Queries

After you have started collecting user activity on a managed computer, you can use Audit Analyzer to view and
replay the sessions captured. For example, you can open Audit Analyzer and select Active Sessions to see
sessions that are currently in progress.
Audit Analyzer includes many predefined queries like the Active Sessions query that you can use to find the
sessions in which you are interested. To access the predefined queries, expand Audit Sessions. You can then
select a predefined query to display a list of the audited sessions that meet the conditions of that query. For
example, if you want to search for sessions by user, you can select the “All, Grouped by User” query, then select the
specific user whose sessions are of interest to see a list of all the sessions captured for that user. For example, in
the right pane, you would select a user from the list.

After you select a specific user, Audit Analyzer displays detailed information about each of that user’s sessions. For
each session, Audit Analyzer lists the user name who started the session, the user display name, the account name
used during the session, the name of the audited computer, the audit store used, start and end time, current state,
whether the audited session is a console or terminal client session, the review status of the session, the name of the
user that modified the status, the size of the session in kilobytes, and any comments that have been added to the
session.
In addition to the predefined queries for audited sessions, Audit Analyzer includes predefined queries for audit trail
events and predefined queries for basic reports. You can explore these queries on your own as you capture
additional activity.

Replaying a Session
If you accepted the defaults when you created the installation for auditing, you should have video capture auditing
enabled. Video capture auditing records all standard input (stdin), standard output (stdout), and standard error
(stderr) activity that occurs on the managed computer. With video capture enabled, you can select a session, right-
click, then select Replay to review the session in the session player.

Delinea Server Suite Unix and Linux Evaluation Guide Page 31 of 40

Auditing Sessions

At this point in the evaluation, you have had very limited activity on the Linux or UNIX computer you are managing
and auditing. Before replaying any sessions, you might want to log on to the managed computer and run several
simple UNIX shell commands, then close the UNIX terminal and log off.
To replay the sample session

1. Open Audit Analyzer from the desktop icon.

2. Click Today in the left pane to list the sessions that have run today.
3. Select the session that has UNIX shell command activity, right-click, then click Replay to display the session
player.
The left pane of the session player displays a summary of activity. You can search on any column to find events
of interest. You can also search for a specific text string. For example:

4. Click the Play/Pause icon at the bottom of the session player to start or stop the session you are viewing.
You can also fast forward session playback by clicking the Speed control icon to play back at 2x or 3x the
normal speed. The dark blue playback line across the bottom of the window represents the total time of the
session. You can drag the Timepoint needle to go directly to a specific point in the session.
The Real-time icon toggles to allow you to play back a session as it was recorded in real time or move swiftly
from one user action to the next. The Session point in the lower right corner identifies the date and time of the
current point in the session playback.
5. Close the session player.

Managing Audited Sessions

You can right-click any session to view an indexed list of the commands captured, export the session activity to
another format for sharing or further analysis, update the review status for the session, or delete the session.

Using Command Summaries

You can view a list of the commands the user executed in a selected session by right-clicking the session, then
selecting Indexed Command List. This option provides a summary of user activity so that you can quickly scan for
events of interest or for suspicious activity without replaying activity. You can then start the session player from a
specific command in the list by selecting the command and clicking Replay.

Delinea Server Suite Unix and Linux Evaluation Guide Page 32 of 40

Auditing Sessions

Exporting Sessions
You can export session activity to several different formats to enable you to share information for review and
analysis. After selecting a session, you can right-click to export the session to the following formats:
n As a plain text (TXT) file that includes the time of each input and output event that occurred during the session.
n As a comma separated values (CSV) file where each row represents a single command input or output line from
the terminal window.
n As a Microsoft Windows Media Video (WMV) file can be played by using any media player that supports the
WMV format. This option enables you to share the video capture of activity with auditors or other users who
don’t have access to Audit Analyzer. You should note, however, that WMV files do not include all of the
information available in the session player. For example, exporting a session to a WMV files does not preserve
information such as the session summary that includes the user name, computer, start and end time for the
session and the summary of events.
n As a uniform resource identifier (URI) by selecting Copy Session URI. This option enables you to share the
session with auditors or other users who don’t have access to Audit Analyzer. Once copied to the clipboard, you
can paste the URI into a browser to open the session for replay.

Viewing and Editing Session Properties

If you select a session, right-click, then select Properties you can view detailed information about the session,
including the type of session, the session start and end times, the zone where the session took place, the audit
store where the session is stored, details about the user whose activity was recorded and computer where the
session ran, and the current status of the session. From the properties section, you can also view the current review
status for the session, when the review status was last modified, and who made the change to the review status.
You can also click on the Reviewers tab in Properties to see the list of users that are authorized to review the
session, change the status of the session, and add comments to the session. By clicking the Comments tab, you
can also view and add comments to the session. For example, you might want to use the Comments tab to add
details about what to look for in a session to assist a reviewer or to provide additional information when you change
the review status of a session.

Updating Review Status for a Session

You can use the Update Review Status for a session to distinguish sessions that warrant attention and to mark
their progress through your review cycle. For example, if you find a session that warrants analysis, you might right-
click to select Update Review Status, then select To be Reviewed. After you select a new status, you are prompted
to add comments and the session is added to the appropriate predefined query in the left pane. For example, if you
selected To be Reviewed status, the session to the Sessions to be Reviewed list.
After you review the session and you determine it needs further action, you might select the Pending for Action
review status. Selecting this status removes the session from Sessions to be Reviewed list and adds it to Sessions
Pending for Action list.

Deleting Sessions
You can select a session, right-click, then select Delete to delete a session after you have finished reviewing
activity and taken appropriate action or when it is no longer needed. Selecting this option deletes the session from
all predefined and custom query lists. For example, if you delete the session from the results for the Today

Delinea Server Suite Unix and Linux Evaluation Guide Page 33 of 40

Auditing Sessions

predefined query, the session might also be deleted from the results for the predefined Sessions to be Reviewed
query or any shared or private queries where it was previously listed.

Creating Custom Queries

In addition to the predefined queries, you can use Audit Analyzer to create your own queries for locating sessions
using specific criteria. For example, you might want to find all sessions that contain the string sudo or that ran a
specific program. To search for these sessions, you can create a custom query definition.
For audited sessions, you can create:
n Quick queries
n Private queries
n Shared queries

If you create a quick, private, or shared query, a new node is added to the Audit Analyzer console for that type of
query under the Audit Sessions node. If you want to search for audit trail events, you can also create queries for
audit events, which are added to Audit Analyzer under the Audit Events node.
To create a new custom query

1. Open Audit Analyzer, select Audit Sessions, right-click, then select one of the following options for a new query:
n New Quick Query
n New Private Query
n New Shared Query
2. Type a name and description for the query.
3. Select the type of sessions that you want the query to find.
For example, select UNIX sessions to limit the search to only include UNIX sessions. By default, new queries
search for both UNIX and Windows sessions.
4. Select an attribute for grouping query results, if applicable.
5. Select an attribute for ordering query results within each group, if applicable.
6. Click Add to add search criteria to filter the results of the query.
7. Select an appropriate attribute from the Attribute list based on the sessions you want to find.
8. Select the appropriate criteria for the attribute you have selected, then click OK.
The specific selections you can make depend on the attribute selected. For example, if the attribute is Review
status, you can choose between “Equals” and “Not equals” and the specific review status you want to find., such
as “To be Reviewed.” If you select the attribute Comment, you can specify “Contains any of” and type the text
string that you want to find any part of.
9. Click Add to add another filter to the criteria for the query, or click OK to save the query and find the sessions
that match the criteria you have specified.

Delinea Server Suite Unix and Linux Evaluation Guide Page 34 of 40

Frequently Asked Questions

Frequently Asked Questions

This section provides answers to common questions and information about specific features that are not applicable
for all organizations. You should review the questions covered to see if there are any topics of interest or are
relevant to your situation.
n How Do I Accommodate Legacy or Conflicting Identity Information?
n Can I have Separate Role Assignments for Specific Computers?
n How Can I Manage Access Rules for Computers in Different Zones?
n How do I Manage Access Privileges during Application Development?
n How do I Terminate a User Account but Keep the Account Profile?
n Can Active Directory Credentials be used to Log in to Applications?
n Can Active Directory Credentials be used for Phone and Tablet Users?
n How Do I Migrate from NIS Maps to Server Suite?

How Do I Accommodate Legacy or Conflicting Identity Information?

If you plan to migrate existing UNIX and Linux users to Active Directory, you might have users that already have
different login names or UIDs on multiple UNIX or Linux computers. For file and directory ownership to continue
uninterrupted, those users must be able to continue using those legacy identity attributes.
To accommodate different login names and UIDs on different computers, you can create computer-level overrides
that let you change just those UNIX attributes you need to change for individual UNIX or Linux computers. The
legacy attributes remain tied to a single Active Directory account, but enable you to deploy with no changes to your
existing environment.
To set computer-level overrides

1. Expand Zones and parent and child zones to find the zone for the computer requiring an override.
2. Expand Computers to display the computer requiring an override.
3. Expand the computer name and UNIX Data.
4. Right-click Users under the selected computer, click Add User to Zone
5. Search for and select the Active Directory user.
6. Select the UNIX properties to change in the user’s UNIX profile.
For example, you can change the UID used for the selected user. The new profile attribute is only used on the
computer where you make the change.
7. Set the new value, then click OK.

For all other computers in the selected zone and in other zones, the user’s UNIX profile remains unchanged. You
can change any or all profile attributes on other computers to accommodate your legacy identity information.

Delinea Server Suite Unix and Linux Evaluation Guide Page 35 of 40

Frequently Asked Questions

Can I have Separate Role Assignments for Specific Computers?

Yes. Server Suite-managed computers get their role assignments from three places:
n Parent and child zone role assignments made in the Authorization node.
n Role assignments made at the computer level.
n Role assignments made in the zone’s computer roles.

Generally, you start assigning roles at the child zone and then the computer role levels. However, there are
occasions when you need to make the role assignment for a single computer. In this case, you use the computer-
level override functionality.
To make a role assignment as a computer-level override

1. Expand Zones and parent and child zones to find the zone for the computer requiring an override.
2. Expand Computers to display the computer requiring an override.
3. Expand the computer name and select Role Assignments.
4. Right-click Role Assignments under the selected computer, click Assign Role.
5. Select the role requiring a computer-specific assignment.
6. Click Add AD Account to search for and select a user or group.

How Can I Manage Access Rules for Computers in Different Zones?

You can use computer roles—groups of computers with a common purpose—to simplify assigning access roles. A
computer role is simply an Active Directory group of computers. You create this group because a specific set of
computers have something in common. For example, you can create a security group for all Oracle database
servers in your organization, or all Oracle servers in a specific location, or all Oracle servers owned by a certain
team of administrators. The same computers might be in multiple Active Directory groups, but each group defines a
specific purpose. The computers might also be in the same zone or different zones.
A computer role enables you to associate an Active Directory group of computers with a specific set of access rules
that apply to just that set of computers.
To create a computer role that defines access rules for a group of computers

1. Create Active Directory groups for the sets of users who have specific access rights.
For example, you might create a group for OracleUsers and a group for OracleAdmins in the Delinea UNIX
Groups organizational unit.
2. In Access Manager, expand Zones and parent and child zones to find the zone for the computer requiring a
computer role.
3. Expand Authorization, right-click Computer Roles, then select Create Computer Role.
4. Type the name and description, then select Create group to create the Active Directory security group for the
computers than share a common purpose.
For example, create a new global group named Oracle Servers.

Delinea Server Suite Unix and Linux Evaluation Guide Page 36 of 40

Frequently Asked Questions

5. In Access Manager, create or identify the access rights and role definitions that will be specifically applicable for
the set of computers.
For example, define the access rights appropriate for the Oracle users and for the Oracle administrators.
Add role definitions for the Oracle users (OracleLoginRights) and administrators (OracleAdminRights), then add
the appropriate rights to each role.
6. Assign the role definitions to the appropriate Active Directory groups.
For example, assign the OracleLoginRights role to the OracleUsers group and the OracleAdminRights role to
the OracleAdmins group.
7. Add the computers to the computer role group.
For example, expand Computer Roles and Oracle servers, right-click Members, then select Add Computer to
add each Oracle server to the Members node.

How do I Manage Access Privileges during Application Development?

In-house application development and deployment typically require three sets of computers, each with its own set
of users and privileges:
n Development: The set of computers with the source code and tools for application development. You only want
your developers and maybe one or two users to have access to these computers.
n Test: The set of computers used by QA to confirm that the application conforms to specifications. You only want
the QA staff to have access to these computers.
n Production: The computers deployed throughout the enterprise. You don’t want developers or QA to have
access to these computers.

You can use computer roles to ensure that only specified users have access at each stage. In this case, you would
define two computer roles in the zone:
n DevelopmentSystems
n TestSystems

Then, you would do the following:

n Create Developer and Tester groups in Active Directory.
n Create Developer and Tester roles and add the rights in Access Manager.
n Assign the roles to the groups in the DevelopmentSystems and TestSystems roles.
n Add the development and test computers as a member to each role.

Now, only the members of the Developer and Tester Active Directory groups have access to the corresponding
computer role’s member computers.

How do I Terminate a User Account but Keep the Account Profile?

When a user leaves the company, you might want to retain their account profile to ensure all of the files they created
on your organization’s UNIX and Linux computers have an owner. You can use the predefined listed role to retain
an account profile with no access privileges.

Delinea Server Suite Unix and Linux Evaluation Guide Page 37 of 40

Removing Software after an Evaluation

To create the group and assign the role

1. Create an Active Directory group in the UNIX Groups organizational unit called Listed. In the description enter,
Terminated users.
2. In Access Manager, expand Zones and find the zone where the account profile is required.
3. Expand Authorization and Role Assignments, then select Assign Role.
4. Select the listed role, click Add AD Account, search for and select the select the Listed Active Directory group,
then click OK.

To terminate a user

1. Remove the user account from all of the UNIX Groups that have access rights.
2. Verify that the user has no role assignments and no effective rights in any zone.
3. Add the user account to the Listed group.

If the user rejoins the company, you simply delete the user from the Listed group and add the user to groups, as
needed.

Can Active Directory Credentials be used to Log in to Applications?

Yes. Delinea provides additional packages that let you configure single sign-on for Apache, Tomcat, JBoss,
WebSphere and WebLogic web servers, and for Oracle, DB2, and SAP database applications.

Can Active Directory Credentials be used for Phone and Tablet Users?
Yes. Delinea offers software that enables you to authenticate users on iOS and Android devices before they can
access their company email, web, and SaaS applications. A separate evaluation package is available for you to try
out mobile device management for smart phones or tablets. Contact your sales representative for a free evaluation.

How Do I Migrate from NIS Maps to Server Suite?

Access Manager provides an extension that enables you to import and manage NIS network maps in Active
Directory on a zone-by-zone basis. For UNIX and Linux computers and applications that submit lookup requests
directly to a NIS server listening on the NIS port, you can also deploy the Delinea Network Information Service,
adnisd, to receive and respond to NIS client requests from the NIS map information stored in Active Directory.

Removing Software after an Evaluation

The evaluation software can only be used for a limited time. After you complete the evaluation, you should remove
the software to free up space on the physical or virtual computers you used for the evaluation. This section
describes the steps for removing components from the Windows computer you used for the evaluation and the
UNIX or Linux computer you added to Active Directory.
n Removing Authentication and Privilege Services
n Removing the Audit and Monitoring Service

Delinea Server Suite Unix and Linux Evaluation Guide Page 38 of 40

Removing Software after an Evaluation

n Removing Server Suite Agents

Removing Authentication and Privilege Services

The most efficient way to remove the Authentication & Privilege Services components from a Windows computer is
to rerun the setup program that installed them.
To remove Authentication & Privilege components

1. On the physical or virtual computer where you downloaded Server Suite software, double-click autorun.
2. On the Getting Started page, click Authentication & Privilege.
3. At the Welcome page, click Next.
4. Select Uninstall, then click Next.
5. Review the list of software to be removed, then click Next.
6. Click Finish to exit the wizard.

The Authentication & Privilege components are now removed from the host Windows computer. You should note,
however, that these steps do not remove any of the Active Directory organizational units, users, or groups you used
for the evaluation. You should manually remove these objects with Active Directory Users and Computers or ADSI
Edit.

Removing the Audit and Monitoring Service

The most efficient way to remove Delinea Management Services components from a Windows computer is to rerun
the setup program that installed them.
To remove the Audit & Monitoring Service components

1. On the physical or virtual computer where you downloaded Server Suite software, double-click autorun.
2. On the Getting Started page, click Audit & Monitor.
3. Select Uninstall, then click Next.
4. Click Finish to exit the wizard.

The Audit & Monitoring Service components are now removed from the host Windows computer. You should note,
however, that these steps do not remove the installation service connection point, databases, or database
instances. You should manually remove these objects with ADSI Edit and Microsoft SQL Server Management
Studio.

Removing Server Suite Agents

Follow the steps below to remove the Server Suite Agent for *NIX and command line programs—such as adinfo,
adjoin, adquery, dacontrol, and dzinfo— from the computer.
You can rerun the install.sh script interactively or silently using a configuration file to remove Server Suite software
from a managed computer.
To remove the agent and other packages using the install.sh script

Delinea Server Suite Unix and Linux Evaluation Guide Page 39 of 40

Removing Software after an Evaluation

1. Log on and open a terminal on the managed computer.

2. Run the adleave command to remove the computer from the domain controller.
adleave -u administratorname
The user name you specify with the administratorname argument should be an account with Active Directory
administrator privileges.
3. Type the password for the an account name you specified.
4. Change to the directory that contains the extracted agent package.
5. Run the installation script.
/bin/sh install.sh
The script determines the Server Suite software you have installed on the computer and displays the details for
you to review.
6. Enter E to proceed.
7. Confirm the removal of packages by entering Y to proceed.
8. Enter Y to reboot the computer after removing software packages.

Delinea Server Suite Unix and Linux Evaluation Guide Page 40 of 40