As you’ve seen us mention in our Linux File Servers in a Windows Domain article, Linux systems have become an omnipresent fixture of the IT landscape, even in companies that are heavily invested in Windows infrastructure. But one challenge to managing such infrastructure diversity is maintaining standardization among disparate systems. Ask any IT Admin who’s managed Linux systems over the last 20 years and you’ll likely hear numerous stories about rogue servers, shared accounts, a lack of password complexity enforcement, and a plain lack of standardization. Things have changed a lot over the past decade, however. With a general shift to virtualization, as well as provisioning tools from Ubuntu and Red Hat, and third-party tools like Ansible, system standardization on Linux has become easier than ever.
Yet another complication of a diverse environment is identity management. Especially with the ever-looming threat of virtual machine sprawl, managing disparate systems and their respective logins can be tiresome at best, and a downright security risk at worst. Thus, when considering systems and applications, a good engineer should always ask questions about identity management and integration with Active Directory, LDAP, or other directory service. Along the way Samba has offered some ability to integrate Linux systems into Active Directory, but it wasn’t always easy to implement, and identity management wasn’t Samba’s primary focus. Today, however, there are now dedicated tools to manage identities across numerous systems, including Linux, UNIX, Macs, and beyond.
One such tool that simplifies and unifies identity management across multiple platforms is Centrify. Centrify was founded in 2004 and offers software designed to thwart the number one point of entry in a data breach – compromised credentials. To say it’s a trusted platform would be an understatement – Centrify claims over half of the Fortune 100 trusts some form of their identity and access management to Centrify.
Here at Teknophiles, we look for a couple of things in a software package for use in our lab:
- Does the software offer Enterprise-level performance and functionality?
- Does the vendor provide IT professionals with an inexpensive (or free) means to test or use the software, at least in some limited capacity?
We’re not a big fan of 30-day trials at Teknophiles, because as any IT Pro knows, it’s really tough to dig into a software package and learn the ins and outs in such a limited time frame, especially with a day job. And in a lab environment, it’s almost mandatory to be able to leave a piece of hardware or software in place for an extended length of time, so that it can be tested in future configurations and scenarios (Take note, Microsoft, Re: TechNet!). We also understand that software companies are in business to make money, which is why we like the, “Free, but limited” model. In the, “Free, but limited” approach, software may be limited to a certain scope of install, number of nodes, or reduced feature set. There are lots of great examples that follow this model – Nagios Core, Thycotic Secret Server, Sophos UTM, among others, and Centrify is no exception. To get the full feature set, one must upgrade to the licensed version. Typically, there’s an easy upgrade path to the licensed version, which gives IT Admins the added confidence that they can stand up a piece of software and, if they and their superiors decide it’s a good fit, simply upgrade without standing up a completely new system.
I happen to use Centrify daily at my full-time job. It’s become instrumental in managing and standardizing access to the numerous Oracle Linux and RHEL systems we deploy. Given my experience with Centrify in the Enterprise environment, I was delighted to learn that they offer a limited package, called Centrify Express, that allows for installation on 200 servers, albeit with a reduced feature set. Here’s a table with a brief comparison of features between Centrify Infrastructure Services and Centrify Express: Reasons to Upgrade
Before You Start
In this article, we’ll briefly cover the installation of the Centrify Express Agent on CentOS 7. Before we dig in, however, there are a couple of things you need to make sure you have in order beforehand.
First, it probably goes without saying, but you need a working Active Directory environment with at least one functioning Domain Controller. You also need the credentials for a user who has the ability to add systems to the domain. It’s probably easiest if you use an account that is a Domain Admin or has similarly delegated permissions within Active Directory.
Second, as we’ve mentioned previously, DNS is a critical component of a functional Active Directory implementation. Be sure you have good FQDN (server.domain.com) resolution between the Domain Controllers and the system you wish to become a domain member, as well as name resolution from the Linux member server to the Domain Controllers (DC01.domain.com, DC02.domain.com, etc.)
Finally, give yourself at least one local Linux account with sudo access that is NOT the same as any AD account. Should you at some point find yourself unable to log into the server via Active Directory, you can use this account as a fallback.
If the local account has the same name as an AD account, the system will assume you are trying to use the AD account and you may be unable to log in. If this is the only local account with sudo access, you could find yourself without the ability to administer the server!
With that out of the way, let’s move on to the fun parts.
Staging the Centrify Express Installation Files
Begin by downloading Centrify Express for the proper flavor of Linux here. You’ll have to fill out a short form to gain access to the installers, but it’s free and there’s no commitment. In fact, unlike some other software vendors, I haven’t been plagued by sales calls, either.
Once, you have the proper installer downloaded, simply SFTP the file to the server you wish to become a domain member. On the server, create a folder to extract the installation files.
|
1 2 3 4 5 6 7 8 |
[root@SERVER01 ~]# mkdir -p software/centrify [root@SERVER01 ~]# mv centrify-suite-2018-rhel5-x86_64.tgz ~/software/centrify/ [root@SERVER01 ~]# cd ~/software/centrify/ [root@SERVER01 centrify]# ll total 37260 -rw-r--r--. 1 root root 38153344 Jun 2 22:55 centrify-suite-2018-rhel5-x86_64.tgz |
Next, extract the installation files as follows.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[root@SERVER01 centrify]# gunzip centrify-suite-2018-rhel5-x86_64.tgz [root@SERVER01 centrify]# tar -xvf centrify-suite-2018-rhel5-x86_64.tar ./adcheck-rhel5-x86_64 ./CentrifyDA-3.5.0-rhel5.x86_64.rpm ./CentrifyDC-5.5.0-rhel5.x86_64.rpm ./CentrifyDC-curl-5.5.0-rhel5.x86_64.rpm ./centrifydc-install.cfg ./CentrifyDC-ldapproxy-5.5.0-rhel5.x86_64.rpm ./CentrifyDC-nis-5.5.0-rhel5.x86_64.rpm ./CentrifyDC-openldap-5.5.0-rhel5.x86_64.rpm ./CentrifyDC-openssh-7.6p1-5.5.0-rhel5.x86_64.rpm ./CentrifyDC-openssl-5.5.0-rhel5.x86_64.rpm ./centrify-suite.cfg ./install-express.sh ./install.sh |
Now, simply begin the installation by executing the install.sh script.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
[root@SERVER01 centrify]# ./install.sh ***** ***** ***** WELCOME to the Centrify Infrastructure Services installer! ***** ***** ***** Detecting local platform ... Running ./adcheck-rhel5-x86_64 ... OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 10.0.0.11 : Pass DNSPROBE : Probe DNS server 10.0.0.21 : Pass DNSCHECK : Analyze basic health of DNS servers : Pass WHATSSH : Is this an SSH that Centrify DirectControl Agent works well with: Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that's configured properly : to allow AD users to login and provides Kerberos GSSAPI support. 1 warning was encountered during check. We recommend checking this before proceeding WARNING: Centrify adcheck exited with warning(s). This installation script provides installation of the following services in Centrify Infrastructure Services on UNIX and Linux: - Centrify Identity Broker Service - Centrify Privilege Elevation Service - Centrify Auditing & Monitoring Service The Centrify Identity Broker Service and Centrify Privilege Elevation Service are contained in the CentrifyDC (Centrify DirectControl) packages, and the Centrify Auditing & Monitoring Service is in the CentrifyDA (Centrify DirectAudit) packages. With this script, you can perform the following tasks: - Install (update) CentrifyDC & CentrifyDA packages (License required) [E] - Install (update) CentrifyDC only packages (License required) [S] - Install (update) CentrifyDC Express packages [X] - Custom install (update) of individual packages [C] You can type Q at any prompt to quit the installation and exit the script without making any changes to your environment. How do you want to proceed? (E|S|X|C|Q) [E]: |
Select X for the Centrify Express installation.
|
1 2 3 4 5 6 7 8 9 10 |
How do you want to proceed? (E|S|X|C|Q) [E]: X The Express mode license allows you to install a total of 200 agents. The Express mode license does not allow the use of licensed features for advanced authentication, access control, auditing, and centralized management. This includes, but is not limited to, features such as SmartCard authentication, Privilege Elevation, Auditing, Group Policy, Login User Filtering, and NSS overrides. |
Select Y to continue to install in Express mode.
|
1 2 3 |
Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]: |
Select Y to verify the AD environment. This is a good idea, as it will flag any major issues prior to attempting the domain join.
|
1 2 3 |
Do you want to run Centrify adcheck to verify your AD environment? (Q|Y|N) [Y]: |
Enter the domain you wish to join.
|
1 2 3 |
Please enter the Active Directory domain to check [company.com]: domain.com |
Confirm you want to join an Active Directory Domain by selecting Y.
|
1 2 3 |
Join an Active Directory domain? (Q|Y|N) [Y]:Y |
Again, enter the name of the domain you wish to join.
|
1 2 3 |
Enter the Active Directory domain to join [domain.com]: domain.com |
Next, enter the username and password of an admin with permission to join systems to the domain. It doesn’t have to be a Domain Admin, but it using a Domain Admin account may simplify permissions troubleshooting:
|
1 2 3 4 |
Enter the Active Directory authorized user [administrator]: administrator Enter the password for the Active Directory user: |
Verify the computer name and the container DN within Active Directory. In most cases the Computers container will suffice, as you can always move the machine later for organizational purposes. If you choose, you can also specify a different container, as shown here.
|
1 2 3 4 |
Enter the computer name [CentOS-Test.domain.com]: CentOS-Test.domain.com Enter the container DN [Computers]: OU=Linux-Unix Servers,OU=Computers |
Now, enter the name of the Domain Controller you wish to use to join the domain. Typically this can be left as auto detect, but you can also specify a DC.
|
1 2 3 |
Enter the name of the domain controller [auto detect]: DC01.domain.com |
Choose whether you want the system to reboot upon completion of the install and domain join. Though this is not required, other services may need to be restarted for full integration.
|
1 2 3 |
Reboot the computer after installation? (Q|Y|N) [Y]:N |
Finally, confirm the options you provided and select Y to proceed.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
You entered the following: Install CentrifyDC 5.5.0 package : Y Install CentrifyDC-openssl 5.5.0 package: Y Install CentrifyDC-openldap 5.5.0 package: Y Install CentrifyDC-curl 5.5.0 package: Y Install CentrifyDC-ldapproxy 5.5.0 package: N Install CentrifyDC-nis 5.5.0 package: N Install CentrifyDC-openssh 5.5.0 package: N Install CentrifyDA 3.5.0 package: N Run Centrify adcheck : Y Join an Active Directory domain : Y Active Directory domain to join : domain.com Active Directory authorized user : administrator computer name : CentOS-Test.domain.com container DN : OU=Linux-Unix Servers,OU=Computers domain controller name : DC01.domain.com Reboot computer : N If this information is correct and you want to proceed, type "Y". To change any information, type "N" and enter new information. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:Y |
View the output of the installation summary and resolve any issues. In this case you can see we had one warning regarding SSH configuration. Any issues may need to be addressed for complete integration.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
Running ./adcheck-rhel5-x86_64 ... NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 10.0.0.11 : Pass DNSPROBE : Probe DNS server 10.0.0.21 : Pass DNSCHECK : Analyze basic health of DNS servers : Pass WHATSSH : Is this an SSH that Centrify DirectControl Agent works well with: Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that's configured properly : to allow AD users to login and provides Kerberos GSSAPI support. DOMNAME : Check that the domain name is reasonable : Pass ADDC : Find domain controllers in DNS : Pass ADDNS : DNS lookup of DC dc01.domain.com : Pass ADPORT : Port scan of DC dc01.domain.com 10.0.0.11 : Pass ADDNS : DNS lookup of DC dc02.domain.com : Pass ADPORT : Port scan of DC dc02.domain.com 10.0.0.21 : Pass ADDC : Check Domain Controllers : Pass ADDNS : DNS lookup of DC dc01.domain.com : Pass GCPORT : Port scan of GC dc01.domain.com 10.0.0.11 : Pass ADDNS : DNS lookup of DC dc02.domain.com : Pass GCPORT : Port scan of GC dc02.domain.com 10.0.0.21 : Pass ADGC : Check Global Catalog servers : Pass DCUP : Check for operational DCs in domain.com : Pass SITEUP : Check DCs for domain.com in our site : Pass DNSSYM : Check DNS server symmetry : Pass ADSITE : Check that this machine's subnet is in a site known by AD : Pass GSITE : See if we think this is the correct site : Pass TIME : Check clock synchronization : Pass ADSYNC : Check domains all synchronized : Pass 1 warning was encountered during check. We recommend checking this before proceeding WARNING: Centrify adcheck exited with warning(s). Preparing packages... CentrifyDC-openssl-5.5.0-200.x86_64 CentrifyDC-openldap-5.5.0-200.x86_64 CentrifyDC-curl-5.5.0-200.x86_64 CentrifyDC-5.5.0-200.x86_64 Joining the Active Directory domain domain.com ... Using domain controller: dc01.domain.com writable=true Join to domain:domain.com, zone:Auto Zone successful Centrify DirectControl started. Loading domains and trusts information Initializing cache . You have successfully joined the Active Directory domain: domain.com in the Centrify DirectControl zone: Auto Zone You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation. Failure to do so may result in login problems for AD users. Install.sh completed successfully. |
Before logging out as root, be sure to add domain admins or other Linux administrator AD group to the sudoers file, by adding the following line.
|
1 2 3 4 |
[root@SERVER01 centrify]# visudo %domain_admins ALL=(ALL:ALL) ALL |
You should now be able to log in via a domain account. Use only the user’s shortname (not FQDN).
|
1 2 3 4 |
login as: admin admin@SERVER01's password: |
You can quickly confirm that your AD account is working properly by viewing your user’s domain group memberships.
|
1 2 3 4 |
admin@SERVER01:~$ id uid=1311458391(admin) gid=1311458391(admin) groups=1311458391(admin),1311456800(domain_admins),1311456801(domain_users),1311456806(schema_admins),1311456807(enterprise_admins),1311457475(linux_admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 |
That’s it for the install! We hope to provide additional Centrify walk-throughs in a future article (Centrify Samba/PuTTY), but this should quickly get you up and running with single sign-on for your domain-integrated Linux servers. As you can see, Centrify provides a neat and tidy package to manage identities across multiple server platforms in a Windows Domain. It’s rock-solid, and right at home in a small home lab or large Enterprise. We’ve been using it for years now without issue in both of environments, and hope you’ll find it as useful as we have.