How do I authenticate against Active Directory using Centrify?'
Centrify aims at making integration of Linux and Mac OS X systems as easy as possible. It comes in several editions, and it is used by many major government, defense, corporate, and academic customers.
Installation on a headnode
Once the tarball is downloaded from Centrify's website you need to uncompress it:
$ tar zxf centrify-suite-2014.1-rhel3-x86_64.tgz
The tarball contains a utility to verify that there are no problems, such as firewall or DNS issues. It is recommended that you run the utility and address any issues that it might detect:
$ ./adcheck-rhel3-x86_64 bright.corp OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 127.0.0.1 : Pass DNSCHECK : Analyze basic health of DNS servers : Pass WHATSSH : Is this an SSH that DirectControl works well with : Pass SSH : SSHD version and configuration : Pass DOMNAME : Check that the domain name is reasonable : Pass ADDC : Find domain controllers in DNS : Pass ADDNS : DNS lookup of DC bright-dc01.bright.corp : Pass ADPORT : Port scan of DC bright-dc01.bright.corp : Pass ADDC : Check Domain Controllers : Pass ADDNS : DNS lookup of DC bright-dc01.bright.corp : Pass GCPORT : Port scan of GC bright-dc01.bright.corp : Pass ADGC : Check Global Catalog servers : Pass DCUP : Check for operational DCs in bright.corp : Pass SITEUP : Check DCs for bright.corp in our site : Pass DNSSYM : Check DNS server symmetry : Pass ADSITE : Check that this machine's subnet is in a site known by AD : Pass GSITE : See if we think this is the correct site : Pass TIME : Check clock synchronization : Pass ADSYNC : Check domains all synchronized : Pass
After that, you can start the installation by running install.sh. First, select the appropriate version of Centrify:
$ ./install.sh
***** *****
***** WELCOME to the Centrify Suite installer! *****
***** *****
Detecting local platform ...
With this script, you can perform the following tasks:
- Install (update) Centrify Suite Enterprise Edition (License required) [E]
- Install (update) Centrify Suite Standard Edition (License required) [S]
- Install (update) Centrify Suite Express Edition [X]
- Custom install (update) of individual packages [C]
You can type Q at any prompt to quit the installation and exit
the script without making any changes to your environment.
How do you want to proceed? (E|S|X|C|Q) [E]: E
After this, enter some basic information in order to be able to join the domain. When asked to reboot the system during the installation dialog, make sure that you answer "No".
Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:
Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:N
Join an Active Directory domain? (Q|Y|N) [Y]:
Enter the Active Directory domain to join [company.com]: bright.corp
Enter the Active Directory authorized user [administrator]: johndoe
Enter the password for the Active Directory user:
Enter the computer name [headnode]:
Enter the container DN [Computers]:
Enter the name of the domain controller [auto detect]:
Reboot the computer after installation? (Q|Y|N) [Y]:N
You chose Centrify Suite Express Edition and entered the following:
Install CentrifyDC 5.2.0 package: Y
Install CentrifyDC-nis 5.2.0 package: N
Install CentrifyDC-openssh 5.1.4 package: Y
Install CentrifyDC-ldapproxy 5.2.0 package: N
Install CentrifyDA 3.2.1 package: N
Run adcheck : N
Join an Active Directory domain : Y
Active Directory domain to join : bright.corp
Active Directory authorized user : johndoe
computer name : headnode
container DN : Computers
domain controller name : auto detect
Reboot computer : N
If this information is correct and you want to proceed, type "Y".
To change any information, type "N" and enter new information.
Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]
Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]: Joining the Active Directory domain bright.corp ... Using domain controller: bright-dc01.bright.corp writable=true Join to domain:bright.corp, zone:Auto Zone successful Centrify DirectControl started. Loading domains and trusts information Initializing cache . You have successfully joined the Active Directory domain: bright.corp in the Centrify DirectControl zone: Auto Zone You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation. Failure to do so may result in login problems for AD users.
The install script will modify nsswitch.conf and the configuration of PAM, but it will not remove the entries related to LDAP. You will need to remove these entries manually. After your change, the configuration files should look like:
$cat /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # ldap Use LDAP (only if nss_ldap is installed) # nisplus or nis+ Use NIS+ (NIS version 3), unsupported # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files ldap nis #shadow: db files ldap nis #group: db files ldap nis passwd: centrifydc files shadow: centrifydc files group: centrifydc files #hosts: db files ldap nis dns hosts: files dns # Example - obey only what ldap tells us... #services: ldap [NOTFOUND=return] files #networks: ldap [NOTFOUND=return] files #protocols: ldap [NOTFOUND=return] files #rpc: ldap [NOTFOUND=return] files #ethers: ldap [NOTFOUND=return] files bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: files automount: files aliases: files $
$cat /etc/pam.d/system-auth # lines inserted by Centrify Direct Control (CentrifyDC 5.2.0-218) auth sufficient pam_centrifydc.so auth requisite pam_centrifydc.so deny account sufficient pam_centrifydc.so account requisite pam_centrifydc.so deny session required pam_centrifydc.so homedir password sufficient pam_centrifydc.so try_first_pass password requisite pam_centrifydc.so deny #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so $
$cat /etc/pam.d/password-auth # lines inserted by Centrify Direct Control (CentrifyDC 5.2.0-218) auth sufficient pam_centrifydc.so auth requisite pam_centrifydc.so deny account sufficient pam_centrifydc.so account requisite pam_centrifydc.so deny session required pam_centrifydc.so homedir password sufficient pam_centrifydc.so try_first_pass password requisite pam_centrifydc.so deny #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so $
User Portal authentication using Centrify
For the user portal you will need to modify the configuration of the PAM module for PHP:
$ cat /etc/pam.d/php auth sufficient pam_centrifydc.so account sufficient pam_centrifydc.so $
Disable LDAP
$ cmsh [headnode]% device use master [headnode->device[headnode]]% services [headnode->device[headnode]->services]% remove ldap [headnode->device*[headnode*]->services*]% commit
$ chkconfig nslcd off $ chkconfig ldap off
Remove the LDAP healthcheck
$ cmsh [headnode]% monitoring [headnode->monitoring]% healthchecks [headnode->monitoring->healthchecks]% use ldap [headnode->monitoring->healthchecks[ldap]]% usedby HealthCheck used by the following: Type Name Parameter Autochange ---------------- ---------------- ---------------- ------------ MonConf healthcheck yes [headnode->monitoring->healthchecks[ldap]]% remove [headnode->monitoring->healthchecks*]% commit Successfully removed 1 HealthChecks Successfully committed 0 HealthChecks [headnode->monitoring->healthchecks]%
For newer versions of Bright:
Stop SLAPD and NSLCD
$ cmsh [headnode->device[bright82]->services]% set slapd monitored no
[headnode->device*[bright82*]->services*]% set slapd autostart no
[headnode->device[bright82]->services]% set nslcd monitored no
[headnode->device*[bright82*]->services*]% set nslcd autostart no
[headnode->device*[bright82*]->services*]% commit
[headnode->device[bright82]->services]% stop slapd
[headnode->device[bright82]->services]% stop nslcd
Installing Centrify for the computing nodes
In order to install Centrify on the compute nodes, you will need to install Centrify on a running node, follwoing the same instructions as in the case of the headnode. Once the installation is complete, you will need to grab the software image using either CMSH or CMGUI:
e.g.
[root@kerndev ~]# cmsh [kerndev]% device use node001 [kerndev->device[node001]]% grabimage -w [kerndev->device[node001]]% Mon Nov 24 12:15:45 2014 [notice] kerndev: Provisioning started: sending node001:/ to kerndev:/cm/images/openstack-image, mode GRAB, dry run = no [kerndev->device[node001]]% Mon Nov 24 12:15:59 2014 [notice] kerndev: Provisioning completed: sent node001:/ to kerndev:/cm/images/openstack-image, mode GRAB, dry run = no grabimage -w [ COMPLETED ] [kerndev->device[node001]]%
Exclude lists
You will also need to modify the exclude lists for the node's category, in order to prevent update/synchronization operations from altering Centrify's cache:
# cmsh; % category use default % set excludelistsyncinstall (add the following line) /var/centrifydc/* /var/centrify/* no-new-files: - /var/centrifydc/* no-new-files: - /var/centrify/* % set excludelistgrab (add the following line) - /var/centrifydc/* - /var/centrify/* % set excludelistgrabnew (add the following line) - /var/centrifydc/* % set excludelistupdate (add the following line) /etc/krb5.* /var/centrifydc/* /var/centrify/* no-new-files: - /var/centrifydc/* no-new-files: - /var/centrify/* % commit
SELinux
If you are using SELinux, then you may need to restore the SELinux context of the Kerberos key table file:
$ restorecon /etc/krb5.keytab