Welcome back. Happy to help!
Excellent question. We have discussed these topics in the past in this series: https://community.centrify.com/t5/TechBlog/Basics-Centrify-Zone-schemas-UNIX-identity-data-sourcing-and/ba-p/23947
When using DirectControl, the UID/GID values are based on the user's (or group) SID - this provides the assurance that the UNIX identity generated will not collide. Good info on SIDs here.
Most importantly, we support different algorithms (schemes) to facilitate migrations. The most common example is the Apple Scheme. We support this scheme to generate UID/GID to facilitate large migrations from the AD Apple Plugin to Centrify DirectControl.
Info on Apple Scheme here: https://docs.centrify.com/en/centrify/macadmin/index.html#page/macadmin/adm_generate_UID_and_GID_for_mac_users.html
The key here is that you must understand what is the current scheme being used before you can try to determine the user's identity. Note that by default, the Centrify scheme is used and this can be set in different places:
- Locally at the client level: (highly undesirable because you have to touch each system) and ideally facilitated by a tool like Chef, Puppet, Ansible, etc.
This means, that you could pre-determine the UID for a user, but if the scheme is overriden at the client level (e.g. in the case of Mac OS X), the UID will not match. Should you bump into this issue, make sure you check the auto.schema.apple_scheme parameter. By default it is false or commented.
- At the zone level: Zones provide maximum flexibility and capabilities for Centrify customers. Each zone can be configured do use a different scheme if needed (again, this is highly-undesirable because the same user may need access to multiple zones, and if the zones are using different schemes, this causes a mess and create challenges, especially with Muti-protocol Network Filers). This is why during the design sessions, this is one of the most important topics to discuss. Basically, picking (and sticking) to a consistent scheme will guarantee a collision-free future and less need to use chown.
At the zone level, with Access Manager, this is set on the Zone Properties > User Defaults (or Group Defaults)
Also, keep in mind that utilities like Zone Provisioning Agent (ZPA) will respect this setting.
Determining the UID/GID Manually
Requirements: Access Manager and the "Add users to the zone" delegated right. Or ADUC with the Centrify extension.
- Open Access Manager.
- Go to the target zone > UNIX Data > Users, right click the whitespace on the right pane and select "Add user to zone"
- Type the name of the user in the dialog box and, voila!
- Now you can write down the UID/GID data and cancel.
Note: You could even save the user, and since they may not have a role assingment, the user may not even become visible to the target system (this highly depends on your access model).
With Active Directory Users and Computers
If you have extended the Centrify plugin for ADUC, you can do this by leveraging the Centrify Profile tab.
Programmatically (PowerShell)
Requirements: You need the Centrify DirectControl PowerShell module from the suite installation image or zip.
This method requires that you write the user to the zone temporarily and then you can delete the profile.
$zone = Get-CdmZone -Name 'Global' $profile = New-CdmUserProfile -Zone $zone -User joe.doe@centrify.vms -UseAutoUid -AutoPrivateGroup Write-Host -Nonewline "The UID for" $profile.user "is" $profile.Uid Remove-CdmUserProfile -Profile $profile
The output of this quick script is:
The UID for joe.doe@centrify.vms is 1040192047
Note that my usage of New-CdmUserProfile is malformed (it's missing key data), but ultimately gives me what I need which is a preview of the user's future UID based on that zone's scheme settings.
Workstation or Express Mode
Since all users are UNIX-enabled and have login rights to the systems, all you need to do is run the adquery user command. Funny enough, since an Express system does this automatically, this can be used if you don't have access to AM, ADUC or even PowerShell. All you need to do is join a UNIX/Linux or Mac System to AD in workstation mode (e.g. sudo adjoin -w -u user example.com) and after the cache is build run the adquery user [username] command. This will display the user's unique UID/GID using the default Centrify scheme.
I hope this helps.
R.P