先日、Ubuntu 20をWindows Active Directoryでユーザ認証できるようにCentrify Expressをインストールしましたが、今回はRHEL 8にもインストールしてみました。
CENTRIFY EXPRESS FOR LINUX
https://www.centrify.com/express/server-suite-form/
- 展開
- インストール
- ドメイン参加
- 再起動、ログイン
上記サイトからRHEL用プログラムをダウンロード、展開します。今回はcentrify-server-suite-2021-rhel6-x86_64.tgzを使用しました。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
[root@rhel8 ~]# mkdir centrify [root@rhel8 ~]# cd centrify/ [root@rhel8 centrify]# tar xvfz ../centrify-server-suite-2021-rhel6-x86_64.tgz ./adcheck-rhel6-x86_64 ./CentrifyDA-5.8.0-135-rhel6.x86_64.rpm ./CentrifyDA-5.8.0-rhel6.x86_64.rpm ./CentrifyDC-5.8.0-188-rhel6.x86_64.rpm ./CentrifyDC-5.8.0-rhel6.x86_64.rpm ./CentrifyDC-cifsidmap-5.8.0-188-rhel6.x86_64.rpm ./CentrifyDC-cifsidmap-5.8.0-rhel6.x86_64.rpm ./CentrifyDC-curl-5.8.0-188-rhel6.x86_64.rpm ./CentrifyDC-curl-5.8.0-rhel6.x86_64.rpm ./centrifydc-install.cfg ./CentrifyDC-ldapproxy-5.8.0-188-rhel6.x86_64.rpm ./CentrifyDC-ldapproxy-5.8.0-rhel6.x86_64.rpm ./CentrifyDC-nis-5.8.0-188-rhel6.x86_64.rpm ./CentrifyDC-nis-5.8.0-rhel6.x86_64.rpm ./CentrifyDC-openldap-5.8.0-188-rhel6.x86_64.rpm ./CentrifyDC-openldap-5.8.0-rhel6.x86_64.rpm ./CentrifyDC-openssh-8.6p1-5.8.0-184-rhel6.x86_64.rpm ./CentrifyDC-openssh-8.6p1-5.8.0-rhel6.x86_64.rpm ./CentrifyDC-openssl-5.8.0-188-rhel6.x86_64.rpm ./CentrifyDC-openssl-5.8.0-rhel6.x86_64.rpm ./centrify-suite.cfg ./install-express.sh ./install.sh [root@rhel8 centrify]# ls -la total 45012 drwxr-xr-x 2 root root 4096 Jan 5 05:44 . dr-xr-x---. 13 root root 4096 Jan 5 05:43 .. -r--r--r-- 1 root root 7889936 May 18 2021 CentrifyDA-5.8.0-135-rhel6.x86_64.rpm lrwxrwxrwx 1 root root 37 May 29 2021 CentrifyDA-5.8.0-rhel6.x86_64.rpm -> CentrifyDA-5.8.0-135-rhel6.x86_64.rpm -r--r--r-- 1 root root 19440028 May 29 2021 CentrifyDC-5.8.0-188-rhel6.x86_64.rpm lrwxrwxrwx 1 root root 37 May 29 2021 CentrifyDC-5.8.0-rhel6.x86_64.rpm -> CentrifyDC-5.8.0-188-rhel6.x86_64.rpm -r--r--r-- 1 root root 8644 May 29 2021 CentrifyDC-cifsidmap-5.8.0-188-rhel6.x86_64.rpm lrwxrwxrwx 1 root root 47 May 29 2021 CentrifyDC-cifsidmap-5.8.0-rhel6.x86_64.rpm -> CentrifyDC-cifsidmap-5.8.0-188-rhel6.x86_64.rpm -r--r--r-- 1 root root 351392 May 29 2021 CentrifyDC-curl-5.8.0-188-rhel6.x86_64.rpm lrwxrwxrwx 1 root root 42 May 29 2021 CentrifyDC-curl-5.8.0-rhel6.x86_64.rpm -> CentrifyDC-curl-5.8.0-188-rhel6.x86_64.rpm -r--r--r-- 1 root root 710264 May 29 2021 CentrifyDC-ldapproxy-5.8.0-188-rhel6.x86_64.rpm lrwxrwxrwx 1 root root 47 May 29 2021 CentrifyDC-ldapproxy-5.8.0-rhel6.x86_64.rpm -> CentrifyDC-ldapproxy-5.8.0-188-rhel6.x86_64.rpm -r--r--r-- 1 root root 244324 May 29 2021 CentrifyDC-nis-5.8.0-188-rhel6.x86_64.rpm lrwxrwxrwx 1 root root 41 May 29 2021 CentrifyDC-nis-5.8.0-rhel6.x86_64.rpm -> CentrifyDC-nis-5.8.0-188-rhel6.x86_64.rpm -r--r--r-- 1 root root 1253652 May 29 2021 CentrifyDC-openldap-5.8.0-188-rhel6.x86_64.rpm lrwxrwxrwx 1 root root 46 May 29 2021 CentrifyDC-openldap-5.8.0-rhel6.x86_64.rpm -> CentrifyDC-openldap-5.8.0-188-rhel6.x86_64.rpm -r--r--r-- 1 root root 1779820 May 14 2021 CentrifyDC-openssh-8.6p1-5.8.0-184-rhel6.x86_64.rpm lrwxrwxrwx 1 root root 51 May 29 2021 CentrifyDC-openssh-8.6p1-5.8.0-rhel6.x86_64.rpm -> CentrifyDC-openssh-8.6p1-5.8.0-184-rhel6.x86_64.rpm -r--r--r-- 1 root root 2801520 May 29 2021 CentrifyDC-openssl-5.8.0-188-rhel6.x86_64.rpm lrwxrwxrwx 1 root root 45 May 29 2021 CentrifyDC-openssl-5.8.0-rhel6.x86_64.rpm -> CentrifyDC-openssl-5.8.0-188-rhel6.x86_64.rpm -r-xr-xr-x 1 root root 11107472 May 29 2021 adcheck-rhel6-x86_64 -rw-rw-r-- 1 root root 55094 Nov 6 2020 centrify-suite.cfg -rw-rw-r-- 1 root root 1364 Nov 6 2020 centrifydc-install.cfg lrwxrwxrwx 1 root root 10 May 29 2021 install-express.sh -> install.sh -r-xr-xr-- 1 root root 411439 May 29 2021 install.sh |
事前にDNSをActive Directory DNSに変更して下さい。
今回はインストール時にドメイン参加しないで、後からコマンドでドメイン参加してみました。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 |
[root@rhel8 centrify]# ./install.sh ***** ***** ***** WELCOME to the Centrify Server Suite installer! ***** ***** ***** Detecting local platform ... Running ./adcheck-rhel6-x86_64 ... OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass NSCD : Check if Name Service Caching Daemon is running : Warning : Name Service Caching Daemon is not running SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 192.168.1.1 : Pass DNSPROBE : Probe DNS server 2408:212:cee:e00:f50f:93d3:aaaa:ccc : Warning : This DNS server does not respond to requests. This is a serious problem DNSCHECK : Analyze basic health of DNS servers : Warning : One or more DNS servers are dead or marginal. : Check the following IP addresses in /etc/resolv.conf. : : The following table lists the state of all configured : DNS servers. : 192.168.1.1 (Win2019sv.EXAMPLE.JP): OK : 2408:212:cee:e00:f50f:93d3:aaaa:ccc (unknown): dead : Only one good DNS server was found : You might be able to continue but it is likely that you : will have problems. : Add more good DNS servers into /etc/resolv.conf. WHATSSH : Is this an SSH that Centrify DirectControl Agent works well with: Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that's configured properly : to allow AD users to login and provides Kerberos GSSAPI support. 4 warnings were encountered during check. We recommend checking these before proceeding WARNING: Centrify adcheck exited with warning(s). This installation script provides installation of the following services in Centrify Server Suite on UNIX and Linux: - Centrify Authentication Service - Centrify Privilege Elevation Service - Centrify Auditing & Monitoring Service The Centrify Authentication Service and Centrify Privilege Elevation Service are contained in the CentrifyDC (Centrify DirectControl) packages, and the Centrify Auditing & Monitoring Service is in the CentrifyDA (Centrify DirectAudit) packages. With this script, you can perform the following tasks: - Install (update) CentrifyDC & CentrifyDA packages (License required) [E] - Install (update) CentrifyDC only packages (License required) [S] - Install (update) CentrifyDC Express packages [X] - Custom install (update) of individual packages [C] You can type Q at any prompt to quit the installation and exit the script without making any changes to your environment. How do you want to proceed? (E|S|X|C|Q) [E]: X The Express mode license allows you to install a total of 200 agents. The Express mode license does not allow the use of licensed features for advanced authentication, access control, auditing, and centralized management. This includes, but is not limited to, features such as SmartCard authentication, Privilege Elevation, Auditing, Group Policy, Login User Filtering, and NSS overrides. Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:Y Do you want to run Centrify adcheck to verify your AD environment? (Q|Y|N) [Y]:Y Please enter the Active Directory domain to check [company.com]: example.jp Join an Active Directory domain? (Q|Y|N) [Y]:N You entered the following: Install CentrifyDC 5.8.0 package: Y Install CentrifyDC-openssl 5.8.0 package: Y Install CentrifyDC-openldap 5.8.0 package: Y Install CentrifyDC-curl 5.8.0 package: Y Install CentrifyDC-ldapproxy 5.8.0 package: N Install CentrifyDC-nis 5.8.0 package: N Install CentrifyDC-cifsidmap 5.8.0 package: N Install CentrifyDC-openssh 5.8.0 package: N Install CentrifyDA 5.8.0 package: N Run Centrify adcheck : Y Join an Active Directory domain : N If this information is correct and you want to proceed, type "Y". To change any information, type "N" and enter new information. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:Y Running ./adcheck-rhel6-x86_64 ... NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 192.168.1.1 : Pass DNSPROBE : Probe DNS server 2408:212:cee:e00:f50f:93d3:aaaa:ccc : Warning : This DNS server does not respond to requests. This is a serious problem DNSCHECK : Analyze basic health of DNS servers : Warning : One or more DNS servers are dead or marginal. : Check the following IP addresses in /etc/resolv.conf. : : The following table lists the state of all configured : DNS servers. : 192.168.1.1 (Win2019sv.EXAMPLE.JP): OK : 2408:212:cee:e00:f50f:93d3:aaaa:ccc (unknown): dead : Only one good DNS server was found : You might be able to continue but it is likely that you : will have problems. : Add more good DNS servers into /etc/resolv.conf. WHATSSH : Is this an SSH that Centrify DirectControl Agent works well with: Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that's configured properly : to allow AD users to login and provides Kerberos GSSAPI support. DOMNAME : Check that the domain name is reasonable : Pass ADDC : Find domain controllers in DNS : Pass ADDNS : DNS lookup of DC win2019sv.example.jp : Pass ADPORT : Port scan of DC win2019sv.example.jp 192.168.1.1 : Pass ADDC : Check Domain Controllers : Pass ADDNS : DNS lookup of DC win2019sv.example.jp : Pass GCPORT : Port scan of GC win2019sv.example.jp 192.168.1.1 : Pass ADGC : Check Global Catalog servers : Pass DCUP : Check for operational DCs in example.jp : Pass SITEUP : Check DCs for example.jp in our site : Pass DNSSYM : Check DNS server symmetry : Pass ADSITE : Check that this machine's subnet is in a site known by AD : Pass GSITE : See if we think this is the correct site : Pass TIME : Check clock synchronization : Note : This system's clock will be synchronized with AD when you join. : This system thinks the time is Wed Jan, 05 14:55:30 +03, : AD thinks the time is Wed Jan, 05 03:55:30 +03. ADSYNC : Check domains all synchronized : Pass 3 warnings were encountered during check. We recommend checking these before proceeding WARNING: Centrify adcheck exited with warning(s). Verifying packages... Preparing packages... CentrifyDC-openssl-5.8.0-188.x86_64 CentrifyDC-openldap-5.8.0-188.x86_64 CentrifyDC-curl-5.8.0-188.x86_64 CentrifyDC-5.8.0-188.x86_64 Install.sh completed successfully. |
adjoinコマンドでドメイン参加します。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 |
[root@rhel8 centrify]# adjoin -u administrator@example.jp -n rhel8.example.jp -s win2019sv.example.jp -w example.jp -V administrator@EXAMPLE.JP's password: Options ------- Precreate: no Compatible with 2.x/3.x: no Enable Apple Scheme to generate UID/GID: no domain: example.jp user: administrator@EXAMPLE.JP container: null computer name: rhel8.example.jp Pre-Windows 2000 name: rhel8 DNS Host Name used for dNSHostName attr: null zone: Auto Zone server: win2019sv.example.jp zoneserver: null gc: null upn: null noconf: no set time: yes force: no forceDeleteObj: no forceDeleteObjWithDupSpn: no trust: no des: no self-serve: no respectEncInConf: no respectSpnInConf: no use ldap to create computer object: no license type: null createComputerZone: no forceDeleteExistingComputerZone: no Setting time Initializing domain settings file to example.jp Attempting bind to example.jp(site:) as administrator@EXAMPLE.JP on win2019sv.example.jp Using domain controller: win2019sv.example.jp writable=true Initializing forest settings file to EXAMPLE.JP Attempting bind to EXAMPLE.JP(site:) as administrator@EXAMPLE.JP on any server Using GC server: win2019sv.example.jp Using global catalog server: win2019sv.example.jp Search for object by samName: filter=(samAccountName=rhel8$) root=DC=example,DC=jp Searching for well known container for computers Using cn=computers,dc=example,dc=jp container for computer object Saving zone settings Zone name: DC=example,DC=jp Zone version: Zone schema: NULL_AUTO Zone GUID: 00112233445566778899aabbccddeeff Using RPC to create the computer account Searching for newly created computer account: DC=example,DC=jp Search for object by samName: filter=(samAccountName=rhel8$) root=DC=example,DC=jp Found existing computer object: CN=rhel8,CN=Computers,DC=EXAMPLE,DC=JP Attempting to update computer dns name... Update succeeded! Searching for SPNs in GC... Attempting to update computer service principal names... Update succeeded! Update Computer's Security Descriptor to allow computer object to read/write operating system and operating system version properties as well as reset password. Looking for ntSecurityDescriptor for object CN=rhel8,CN=Computers,DC=EXAMPLE,DC=JP .... Checking if the required permissions exist. Not all of the required permissions exist, will add them. Add Allowed ACE to Read and Write operatingSystemVersion for S-1-5-21-2398903365-364643922-1297611302-1108. Add Allowed ACE to Read and Write operatingSystem for S-1-5-21-2398903365-364643922-1297611302-1108. Add Allowed ACE to Read and Write operatingSystemServicePack for S-1-5-21-2398903365-364643922-1297611302-1108. Add Allowed ACE to Reset Password for S-1-5-21-2398903365-364643922-1297611302-1108. Add Allowed ACE to Read userAccountControl for S-1-5-21-2398903365-364643922-1297611302-1108. Add Allowed ACE to Validate write to servicePrincipalName for S-1-5-21-2398903365-364643922-1297611302-1108. Add Allowed ACE to Validate write to dNSHostName for S-1-5-21-2398903365-364643922-1297611302-1108. Unset "Trust for delegation" bit. Unset "Use Des Key Only" bit. Set operatingSystemVersion to "6.1:8.5", so that KDC will issue service ticket using AES enctypes. Set also msDS-supportedEncryptionType to "31" Update OS information. This requires computer object update rights... Update OS information succeeded Update Join Time: 132858256560000000 Setting machine password... Setting get init cred callback before set password (rc=0). Password change succeeded Samba interoperability is disabled in centrifydc.conf: Skipped synchronizing machine password with Samba Save kerberos join data... Using Win 2003 key version 2 Writing kerberos keytab Updating settings files Join to domain:example.jp, zone:Auto Zone successful Starting daemon Centrify DirectControl started. Waiting for adclient to startup ...... Adclient startup completed! Loading domains and trusts information Initializing cache . You have successfully joined the Active Directory domain: example.jp in the Centrify DirectControl zone: Auto Zone You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation. Failure to do so may result in login problems for AD users. |
クライアントを再起動してログインしてみます。
Active Directoryにはコンピュータアカウントが登録されています。
テストユーザです。
guest03でログインできました。
|
1 2 3 4 5 6 7 8 9 10 11 |
[root@rhel8 ~]# adinfo Local host name: rhel8 Joined to domain: example.jp Joined as: rhel8.example.jp Pre-win2K name: rhel8 Current DC: win2019sv.example.jp Preferred site: Default-First-Site-Name Zone: Auto Zone Last password set: 2022-01-05 06:07:36 +03 CentrifyDC mode: connected Licensed Features: Disabled |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
[guest03@rhel8 ~]$ id uid=343934036(guest03) gid=343934036(guest03) groups=343934036(guest03),343933441(domain_users) [guest03@rhel8 ~]$ pwd /home/guest03 [guest03@rhel8 ~]$ ls -la 合計 28 drwx------ 15 guest03 guest03 4096 1月 5 07:52 . drwxr-xr-x. 7 root root 79 1月 5 07:52 .. -rw------- 1 guest03 guest03 310 1月 5 07:52 .ICEauthority -rw-r--r-- 1 guest03 guest03 18 1月 5 07:52 .bash_logout -rw-r--r-- 1 guest03 guest03 141 1月 5 07:52 .bash_profile -rw-r--r-- 1 guest03 guest03 376 1月 5 07:52 .bashrc drwx------ 9 guest03 guest03 213 1月 5 07:52 .cache drwx------ 12 guest03 guest03 231 1月 5 07:53 .config -rw------- 1 guest03 guest03 16 1月 5 07:52 .esd_auth -rw------- 1 guest03 guest03 19 1月 5 07:52 .k5login drwx------ 3 guest03 guest03 19 1月 5 07:52 .local drwxr-xr-x 4 guest03 guest03 39 1月 5 07:52 .mozilla drwxrw---- 3 guest03 guest03 19 1月 5 07:52 .pki drwxr-xr-x 2 guest03 guest03 6 1月 5 07:52 ダウンロード drwxr-xr-x 2 guest03 guest03 6 1月 5 07:52 テンプレート drwxr-xr-x 2 guest03 guest03 6 1月 5 07:52 デスクトップ drwxr-xr-x 2 guest03 guest03 6 1月 5 07:52 ドキュメント drwxr-xr-x 2 guest03 guest03 6 1月 5 07:52 ビデオ drwxr-xr-x 2 guest03 guest03 6 1月 5 07:52 音楽 drwxr-xr-x 2 guest03 guest03 6 1月 5 07:52 画像 drwxr-xr-x 2 guest03 guest03 6 1月 5 07:52 公開 [guest03@rhel8 ~]$ grep guest03 /etc/passwd |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
[root@rhel8 centrify]# adjoin -h usage: adjoin [options] domain options: -u, --user user[@domain] user name -p, --password pw user password, may prompt if absent -I, --noprompt do not prompt for user credential if no credentials found -c, --container dn subtree to create below or move to. LDAP is used to create computer object, if computer object does not exist. -n, --name comp computer account name -N, --prewin2k name pre-windows 2000 computer account name must be 19 characters or less -D, --dnsname name optional parameter to override the dNSHostName attribute in the computer object -f, --force overwrite existing joined computer -F, --forceDeleteObj clean up the existing computer object and extension object -d, --forceDeleteObjWithDupSpn delete the existing object with duplicate SPN -O, --forceDeleteExistingComputerZone use with --createComputerZone, when specify, clean up the existing computer zone if exists. -a, --alias alias add an alias computer account name -C, --noconf do not update PAM or NSS config -z, --zone zone zone to join -o, --createComputerZone create computer zone for the joined machine -R, --computerrole name the computer role currently joined machine will be added to -s, --server ds domain server for join operations -Z, --zoneserver ds domain server for zone operations useful if zone is in another domain -g, --gc ds domain server for global catalog searches -U, --upn upn user principal name for the account -T, --trust trust computer for delegation, requires administrator permission -k, --des use DES key only -P, --precreate precreate computer and extension object -m, --compat make computer and extension object compatible with DirectControl 2.x. -e --enableAppleIDGenScheme enable Apple scheme for generating ID for AD user or group when machine join to AutoZone. The settings once set will stay even after adleave. It can be used only when join an Auto Zone. It cannot be used together with --precreate. -S, --selfserve use reset computer account credentials to perform a self-service join -r, --useConf <list> use the settings in centrifydc.conf when perform self-service join. the settings can be a comma separated list of: spn: use the setting of adclient.krb5.service.principals enctype: use the setting of adclient.krb5.permitted.encryption.types -w, --workstation join computer to Auto Zone -l, --ldap use LDAP method to create the computer object -L, --linefeed print error/warning message without linefeed in paragraph -x, --extramap mapname add named nss map to nss configuration. Can be repeated -i, --noinit skip cache preload -E, --prestage dir use pre-staged cache. Cache files will be copied from dir. -A, --attempt attempt to grant authenticated users read permissions to PSO objects so that the computer account can read fine grain password security policies in the current domain. Note that the administrator(s) may also need to grant authenticated users read permissions to PSO objects in trusted domains and forests as well for more accurate password expiration times for cross domain and cross forests users. -v, --version print version information -t, --licensetype <type> specify license type to use. Valid values are "server" or "workstation" -V, --verbose print debug information for each operation -G, --loadgroups preload zone groups and group members -y, --notime do not update computer time -h, --help print this help information and exit. |