Skip to main content
Ask Question
User Management
Asked a question 6 years ago

How do I authenticate against Active Directory using Centrify?

Where am I?

In Bright Computing, Inc. you can ask and answer questions and share your experience with others!

How do I authenticate against Active Directory using Centrify?'

Centrify10 aims at making integration of Linux and Mac OS X systems as easy as possible. It comes in several editions, and it is used by many major government, defense, corporate, and academic customers.

Installation on a headnode

Once the tarball is downloaded from Centrify's website you need to uncompress it:

$ tar zxf centrify-suite-2014.1-rhel3-x86_64.tgz

The tarball contains a utility to verify that there are no problems, such as firewall or DNS issues. It is recommended that you run the utility and address any issues that it might detect:

$ ./adcheck-rhel3-x86_64 bright.corp OSCHK    : Verify that this is a supported OS                          : Pass PATCH    : Linux patch check                                           : Pass PERL     : Verify perl is present and is a good version                : Pass SAMBA    : Inspecting Samba installation                               : Pass SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass HOSTNAME : Verify hostname setting                                     : Pass NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass DNSPROBE : Probe DNS server 127.0.0.1                                  : Pass DNSCHECK : Analyze basic health of DNS servers                         : Pass WHATSSH  : Is this an SSH that DirectControl works well with           : Pass SSH      : SSHD version and configuration                              : Pass DOMNAME  : Check that the domain name is reasonable                    : Pass ADDC     : Find domain controllers in DNS                              : Pass ADDNS    : DNS lookup of DC bright-dc01.bright.corp                    : Pass ADPORT   : Port scan of DC bright-dc01.bright.corp                     : Pass ADDC     : Check Domain Controllers                                    : Pass ADDNS    : DNS lookup of DC bright-dc01.bright.corp                    : Pass GCPORT   : Port scan of GC bright-dc01.bright.corp                     : Pass ADGC     : Check Global Catalog servers                                : Pass DCUP     : Check for operational DCs in bright.corp                    : Pass SITEUP   : Check DCs for bright.corp in our site                       : Pass DNSSYM   : Check DNS server symmetry                                   : Pass ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass GSITE    : See if we think this is the correct site                    : Pass TIME     : Check clock synchronization                                 : Pass ADSYNC   : Check domains all synchronized                              : Pass

After that, you can start the installation by running install.sh3. First, select the appropriate version of Centrify:

$ ./install.sh3 *****                                                                 ***** *****             WELCOME to the Centrify Suite installer!            ***** *****                                                                 ***** Detecting local platform ... With this script, you can perform the following tasks:    - Install (update) Centrify Suite Enterprise Edition (License required) [E]    - Install (update) Centrify Suite Standard Edition (License required) [S]    - Install (update) Centrify Suite Express Edition [X]    - Custom install (update) of individual packages [C] You can type Q at any prompt to quit the installation and exit the script without making any changes to your environment. How do you want to proceed? (E|S|X|C|Q) [E]: E

After this, enter some basic information in order to be able to join the domain. When asked to reboot the system during the installation dialog, make sure that you answer "No".

Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]: Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:N Join an Active Directory domain? (Q|Y|N) [Y]:    Enter the Active Directory domain to join [company.com4]: bright.corp    Enter the Active Directory authorized user [administrator]: johndoe    Enter the password for the Active Directory user:    Enter the computer name [headnode]:    Enter the container DN [Computers]:    Enter the name of the domain controller [auto detect]: Reboot the computer after installation? (Q|Y|N) [Y]:N You chose Centrify Suite Express Edition and entered the following:    Install CentrifyDC 5.2.0 package: Y    Install CentrifyDC-nis 5.2.0 package: N    Install CentrifyDC-openssh 5.1.4 package: Y    Install CentrifyDC-ldapproxy 5.2.0 package: N    Install CentrifyDA 3.2.1 package: N    Run adcheck                      : N    Join an Active Directory domain  : Y    Active Directory domain to join  : bright.corp    Active Directory authorized user : johndoe    computer name                    : headnode    container DN                     : Computers    domain controller name           : auto detect    Reboot computer                  : N If this information is correct and you want to proceed, type "Y". To change any information, type "N" and enter new information. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]

Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]: Joining the Active Directory domain bright.corp ... Using domain controller: bright-dc01.bright.corp writable=true Join to domain:bright.corp, zone:Auto Zone successful Centrify DirectControl started. Loading domains and trusts information Initializing cache . You have successfully joined the Active Directory domain: bright.corp in the Centrify DirectControl zone: Auto Zone You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation.  Failure to do so may result in login problems for AD users.

The install script will modify nsswitch.conf and the configuration of PAM, but it will not remove the entries related to LDAP. You will need to remove these entries manually. After your change, the configuration files should look like:

$cat /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # #       nis or yp               Use NIS (NIS version 2), also called YP #       dns                     Use DNS (Domain Name Service) #       files                   Use the local files #       db                      Use the local database (.db) files #       compat                  Use NIS on compat mode #       hesiod                  Use Hesiod for user lookups #       ldap                    Use LDAP (only if nss_ldap is installed) #       nisplus or nis+         Use NIS+ (NIS version 3), unsupported #       [NOTFOUND=return]       Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd:    db files ldap nis #shadow:    db files ldap nis #group:     db files ldap nis passwd: centrifydc      files shadow: centrifydc      files group: centrifydc       files #hosts:     db files ldap nis dns hosts:      files dns # Example - obey only what ldap tells us... #services:  ldap [NOTFOUND=return] files #networks:  ldap [NOTFOUND=return] files #protocols: ldap [NOTFOUND=return] files #rpc:       ldap [NOTFOUND=return] files #ethers:    ldap [NOTFOUND=return] files bootparams: files ethers:     files netmasks:   files networks:   files protocols:  files rpc:        files services:   files netgroup:   files publickey:  files automount:  files aliases:    files $

$cat /etc/pam.d/system-auth # lines inserted by Centrify Direct Control (CentrifyDC 5.2.0-218) auth       sufficient     pam_centrifydc.so auth       requisite      pam_centrifydc.so deny account    sufficient     pam_centrifydc.so account    requisite      pam_centrifydc.so deny session    required       pam_centrifydc.so homedir password   sufficient     pam_centrifydc.so try_first_pass password   requisite      pam_centrifydc.so deny #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth        required      pam_env.so auth        sufficient    pam_unix.so nullok try_first_pass auth        requisite     pam_succeed_if.so uid >= 500 quiet auth        required      pam_deny.so account     required      pam_unix.so broken_shadow account     sufficient    pam_succeed_if.so uid < 500 quiet account     [default=bad success=ok user_unknown=ignore] pam_ldap.so account     required      pam_permit.so password    requisite     pam_cracklib.so try_first_pass retry=3 password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok password    required      pam_deny.so session     optional      pam_keyinit.so revoke session     required      pam_limits.so session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session     required      pam_unix.so $

$cat /etc/pam.d/password-auth # lines inserted by Centrify Direct Control (CentrifyDC 5.2.0-218) auth       sufficient     pam_centrifydc.so auth       requisite      pam_centrifydc.so deny account    sufficient     pam_centrifydc.so account    requisite      pam_centrifydc.so deny session    required       pam_centrifydc.so homedir password   sufficient     pam_centrifydc.so try_first_pass password   requisite      pam_centrifydc.so deny #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth        required      pam_env.so auth        sufficient    pam_unix.so nullok try_first_pass auth        requisite     pam_succeed_if.so uid >= 500 quiet auth        required      pam_deny.so account     required      pam_unix.so broken_shadow account     sufficient    pam_succeed_if.so uid < 500 quiet account     [default=bad success=ok user_unknown=ignore] pam_ldap.so account     required      pam_permit.so password    requisite     pam_cracklib.so try_first_pass retry=3 password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok password    required      pam_deny.so session     optional      pam_keyinit.so revoke session     required      pam_limits.so session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session     required      pam_unix.so $

User Portal authentication using Centrify

For the user portal you will need to modify the configuration of the PAM module for PHP:

$ cat /etc/pam.d/php auth       sufficient   pam_centrifydc.so account       sufficient   pam_centrifydc.so $

Disable LDAP

$ cmsh [headnode]% device use master [headnode->device[headnode]]% services [headnode->device[headnode]->services]% remove ldap [headnode->device*[headnode*]->services*]% commit

$ chkconfig nslcd off $ chkconfig ldap  off

Remove the LDAP healthcheck

$ cmsh [headnode]% monitoring [headnode->monitoring]% healthchecks [headnode->monitoring->healthchecks]% use ldap [headnode->monitoring->healthchecks[ldap]]% usedby HealthCheck used by the following: Type             Name             Parameter        Autochange ---------------- ---------------- ---------------- ------------ MonConf                           healthcheck      yes [headnode->monitoring->healthchecks[ldap]]% remove [headnode->monitoring->healthchecks*]% commit Successfully removed 1 HealthChecks Successfully committed 0 HealthChecks [headnode->monitoring->healthchecks]%

Installing Centrify for the computing nodes

In order to install Centrify on the compute nodes, you will need to install Centrify on a running node, follwoing the same instructions as in the case of the headnode. Once the installation is complete, you will need to grab the software image using either CMSH or CMGUI:

e.g.

[root@kerndev ~]# cmsh [kerndev]% device use node001 [kerndev->device[node001]]% grabimage -w [kerndev->device[node001]]% Mon Nov 24 12:15:45 2014 [notice] kerndev: Provisioning started: sending node001:/ to kerndev:/cm/images/openstack-image, mode GRAB, dry run = no [kerndev->device[node001]]% Mon Nov 24 12:15:59 2014 [notice] kerndev: Provisioning completed: sent node001:/ to kerndev:/cm/images/openstack-image, mode GRAB, dry run = no grabimage -w [ COMPLETED ] [kerndev->device[node001]]%

Exclude lists

You will also need to modify the exclude lists for the node's category, in order to prevent update/synchronization operations from altering Centrify's cache:

# cmsh; % category use default % set excludelistsyncinstall (add the following line) /var/centrifydc/* /var/centrify/* no-new-files: - /var/centrifydc/* no-new-files: - /var/centrify/* % set excludelistgrab (add the following line) - /var/centrifydc/* - /var/centrify/*   % set excludelistgrabnew (add the following line) - /var/centrifydc/*   % set excludelistupdate (add the following line) /etc/krb5.* /var/centrifydc/* /var/centrify/* no-new-files: - /var/centrifydc/* no-new-files: - /var/centrify/* % commit

SELinux

If you are using SELinux, then you may need to restore the SELinux context of the Kerberos key table file:
$ restorecon /etc/krb5.keytab