TOM KEMP'S CENTRIFY BLOG
Group Policy for UNIX, Linux and the Mac
Monday, February 18, 2008
As many of you know Centrify DirectControl provides a comprehensive solution for global policy enforcement by extending Windows Group Policy services to Linux, UNIX and Mac systems. I want to use this blog entry to describe in a bit more detail how Centrify DirectControl implements Group Policy in a heterogeneous environment.
[Side note: later this week we are pleased to be hosting a live Group Policy webinar. If you sit in on the webinar you will get a concise overview of how Group Policy works from Jeremy Moskowitz (author of authoritative works on both Windows Group Policy and Windows/Linux integration). You will also hear from our own David McNeely who will explain the workings of the Group Policy engine that is seamlessly built into DirectControl and demonstrate locking down user and security settings on a Mac desktop system via GPOs provided by DirectControl. Click here to register.]
In the Windows environment, most of the configuration settings defined in a Group Policy Object are implemented through entries in the local Windows registry. For UNIX computers and users, however, local configuration details are typically defined using a set of configuration files stored in the /etc directory. In addition, the Window and UNIX environments have different configuration requirements, and so require different settings to be available through Group Policy.
To address these differences, Centrify DirectControl provides its own group policies that allow administrators to use Group Policy Objects to configure settings for Centrify DirectControl-managed computers and users. To enable you to use Group Policy Objects to configure settings for UNIX-based computers and users, Centrify DirectControl:
- Provides its own administrative templates (.xml files) that define Centrify DirectControl and UNIX-specific configuration settings and describe how to display these settings in the Group Policy Object Editor on Windows. [Side note: Centrify DirectControl administrative templates fulfill the same role as Windows administrative templates, however, they are stored in XML format rather than ADM format. The XML format provides greater flexibility than the ADM format, specifically the ability to edit policy settings after setting them initially, which is critical for many of the Centrify DirectControl policies.]
- Uses the DirectControl "adclient" daemon to collect configuration details from Active Directory based on the Group Policy Objects applied for the current computer or user and create a "virtual registry" of those configuration settings on the local UNIX computer.
- Runs local programs that map the configuration details in the virtual registry to the appropriate configuration file changes on the local UNIX computer.
The virtual registry is a collection of files that contain all of the Group Policy configuration settings from the group policies applied to the computer through the Group Policy hierarchy, including settings that apply only to Windows computers. Because the files that make up this virtual registry are not native to the UNIX environment, Centrify DirectControl then uses a set of mapping programs to read the files, determine the settings that are applicable to UNIX computers and users, and make the appropriate changes in the corresponding UNIX configuration files to implement the configuration specified. The mapping programs ignore any Windows-specific settings that have been applied and only map the settings that are appropriate for the UNIX environment.
The following figure provides a simplified view of the process.
As this figure suggests, the Centrify DirectControl daemon, adclient, retrieves policy settings from the Active Directory domain controller and starts the program runmappers. The runmappers program runs the individual mapping programs and those individual mapping programs read settings from the virtual registry and translate them into the appropriate settings in application-specific configuration files.
There are a couple of additional items I want to point out that I think are worth mentioning. First, Centrify DirectControl is the only solution to provide both user and computer policies, Mac-specific desktop lockdown policies, and advanced features such as group filtering and loopback processing. In addition, we provide more than 225 Group Policies out of the box for *nix systems, and support some of the common Windows configuration settings to be applied to Centrify DirectControl-managed computers and users (e.g. password policies such as enforce password history, maximum password age, minimum password age, etc. as well as GPs controlling logon prompts). And this cross-platform Group Policy capability is part and parcel of the DirectControl architecture, as opposed to a separate architecture that needs to be managed and configured.
Finally, I want to point out that a major new feature in DirectControl 4 is a streamlined Group Policy Object Editor interface that makes it even easier to create and edit Group Policies within the standard GPO Editor. This new interface provides a rich editing environment for many policies where multiple lines of text need to be entered or edited after initial entry, such as the sudo or firewall policies. In addition to the new user interface, DirectControl 4 also provides several new and improved Group Policies, including ones to set sudo rights, copy files and control SSH settings.
I hope that gives you a good idea of what we offer in this area. We have a wealth of information on our cross-platform Group Policy capabilities including:
- the aforementioned Group Policy webinar featuring the "GP Answer Man" himself, Jeremy Moskowitz
- a technical Group Policy for UNIX/Linux/Mac chalktalk featuring our CTO Paul Moore
- a very impressive and comprehensive 150+ page guide that is available for download on our secure support site entitled "Centrify DirectControl Group Policy Guide" (select the menu option "Documentation and Application Notes" and then select DirectControl 4 documentation)
- an equally impressive and comprehensive 150+ page DirectControl "Administrator's Guide for Mac OS X" on our support site that details our Mac specific group policies (or click here for a high-level summary of our Mac Group Policy capabilities)
Hopefully the 2+ hours of demos and presentations and/or the 300+ pages of documentation will give you a great feel for the breadth and depth of our industry leading Group Policy support for UNIX, Linux and Mac environments!
< Previous Article: Microsoft and Kerberos
> Next Article: DirectControl Gets Windows 2008 Certified; Centrify Participates in 'Heroes Happen Here' Launch Events
About Tom
Tom Kemp is President and CEO of Centrify. He blogs regularly on the topics of Entrepreneurship and Centrify. (Full biography.)
Recent Posts
- Centrify LISA Presentation on Integrating Linux with Microsoft Active Directory
- Strong Authentication for the Mac
- How DirectAuthorize Compares to sudo for Root Access Control
- How DirectAuthorize Leverages Active Directory to Enable Privilege Account Management on UNIX/Linux
- How DirectAuthorize Addresses Root and Shared Account Management in UNIX/Linux Environments
- Introducing DirectAuthorize and the Centrify Suite
Categories
- Centrify (54)
- Centrify Suite (3)
- Group Policy (37)
- Mac OS X (19)
- Regulatory Compliance (35)
- DirectControl for Databases (26)
- DirectControl for Systems (47)
- DirectControl for Web Apps (24)
- DirectAuthorize (4)
- Customers and Press (36)
- DirectAudit (12)
- Partners (9)
- Open Source Tools (7)
- All (71)
Other Blogs
Subscribe
RSS Feed
