Cheat sheet for installing Centrify
Posted: November 10, 2015 Filed under: CentOS, Linux | Tags: Centrify, Join Domain, Samba Leave a commentThis is more for me that a general help blog, the instructions are pretty good with the Centrfy product (www.centrify.com), but there are pages and pages. I just want the salient points to get me up and running.
For those who do not know, this product allows you to join a Linux server to a Windows domain via a scripted method and with out all of the hassle trying to do it by hand. It also has a Samba element, this is what I want it for!!!!
There is much more to the enterprise product and you can do some really cool things with it, but I am happy with the free version.
You need to download the suite and Samba installs from here, the site tries its best to hide the downloads, you have to register for the download, and then it does it’s best to hide the bits you need. To download and register use www.centrify.com/express/server-suite-form
Or you can follow this link http://www.centrify.com/express/linux-unix/download-files/#accordion-download-express-02
The express suite is for Centos is http://edge.centrify.com/products/centrify-suite/2015-update-1/installers/centrify-suite-2015.1-rhel4-x86_64.tgz
The Samba install is http://edge.centrify.com/products/opensource/samba-4.5.9/centrify-samba-4.5.9-rhel3-x86_64.tgz
So here is the basics on the installation.
You will need some base bits
yum -y install perl
mkdir /opt/software
cd /opt/software
wget http://edge.centrify.com/products/centrify-suite/2015-update-1/installers/centrify-suite-2015.1-rhel4-x86_64.tgz
wget http://edge.centrify.com/products/opensource/samba-4.5.9/centrify-samba-4.5.9-rhel3-x86_64.tgz
mkdir suite
tar -xvzf centrify-suite-2015.1-rhel4-x86_64.tgz -C suite
mkdir samba
tar -xvzf centrify-samba-4.5.9-rhel3-x86_64.tgz -C samba
cd suite
./install-express.sh
***** ***** ***** WELCOME to the Centrify Express installer! ***** ***** *****
Detecting local platform …
Running ./adcheck-rhel4-x86_64 … OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 10.0.100.150 : Pass DNSCHECK : Analyze basic health of DNS servers : Warning : Only one DNS server was found in /etc/resolv.conf. : At least one backup DNS server is recommended for : enterprise installations. : Only one good DNS server was found : You might be able to continue but it is likely that you : will have problems. : Add more good DNS servers into /etc/resolv.conf.
WHATSSH : Is this an SSH that DirectControl works well with : Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that’s configured properly : to allow AD users to login and provides Kerberos GSSAPI support. : : If you install Centrify Express or Centrify Suite : Standard or Enterprise Edition, the Centrify build of : OpenSSH will be installed automatically. Alternatively : you may choose individual Suite packages to install : with the Custom install option.
2 warnings were encountered during check. We recommend checking these before proceeding
WARNING: adcheck exited with warning(s).
With this script, you can perform the following tasks: – Install (update) Centrify Suite Enterprise Edition (License required) [E] – Install (update) Centrify Suite Standard Edition (License required) [S] – Install (update) Centrify Suite Express Edition [X] – Custom install (update) of individual packages [C]
You can type Q at any prompt to quit the installation and exit the script without making any changes to your environment.
How do you want to proceed? (E|S|X|C|Q) [X]:X
The Express mode license allows you to install a total of 200 agents. The Express mode license does not allow the use of licensed features for advanced authentication, access control, auditing, and centralized management. This includes, but is not limited to features such as SmartCard authentication, DirectAuthorize, DirectAudit, Group Policy, Login User Filtering, and NSS overrides.
Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:Y
Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:Y
Please enter the Active Directory domain to check [company.com]:acme
Join an Active Directory domain? (Q|Y|N) [Y]:Y
Enter the Active Directory domain to join [acme]:acme.local
Enter the Active Directory authorized user [administrator]:Administrator
Enter the password for the Active Directory user:
Enter the computer name [server-01]:Enter
Enter the container DN [Computers]: Enter Enter the name of the domain controller [auto detect]:Enter
Reboot the computer after installation? (Q|Y|N) [Y]:Y
You will get a confirmation screen
Please enter the Active Directory domain to check [company.com]: acme Join an Active Directory domain? (Q|Y|N) [Y]:Y Enter the Active Directory domain to join [churchill1795]: acme.local Enter the Active Directory authorized user [administrator]: Administrator Enter the password for the Active Directory user: Enter the computer name [server-01]: Enter the container DN [Computers]: Enter the name of the domain controller [auto detect]: Reboot the computer after installation? (Q|Y|N) [Y]:Y
You chose Centrify Suite Express Edition and entered the following: Install CentrifyDC 5.2.3 package : Y Install CentrifyDC-nis 5.2.3 package: N Install CentrifyDC-openssh 5.2.3 package: Y Install CentrifyDC-ldapproxy 5.2.3 package: N Install CentrifyDA 3.2.3 package: N Run adcheck : Y Join an Active Directory domain : Y Active Directory domain to join : acme.local Active Directory authorized user : Administrator computer name : server-01 container DN : Computers domain controller name : auto detect Reboot computer : Y
If this information is correct and you want to proceed, type “Y”. To change any information, type “N” and enter new information. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:Y
The installation will start and the sever will reboot if successful. To avoid any errors when installing the samba install you need some bits
yum -y install cups
cd /opt/software/samba
rpm -i centrifydc-samba-3.6.25-4.5.9-rhel3-x86_64.rpm
rpm -i centrifydc-adbindproxy-4.5.9-rhel3-x86_64.rpm
perl /usr/share/centrifydc/bin/adbindproxy.pl
adbindproxy.pl is used to configure the Centrify custom Samba build to interoperate with Centrify’s DirectControl product. It checks if the machine is joined to an AD domain. If not, it will prompt for the join operation. It also updates smb.conf and tdb files.
For security reason, you will be prompted for password several times in order to perform different AD operations when running this script.
Please specify Centrify Samba’s path if it is not in [/opt/centrify/samba/] :Enter
Using (/opt/centrify/samba/) The Samba base path is : /opt/centrify/samba/ Looking for conflicting Samba installations… No conflicting Samba found. Do you want to create symbolic links from /usr to /opt/centrify/samba/ [Y] : Y
Using (Y) Creating symbolic links from /usr/sbin/ to /opt/centrify/samba/sbin/… Creating symbolic links from /usr/bin/ to /opt/centrify/samba/bin/… Creating symbolic links from /usr/lib64/ to /opt/centrify/samba/lib/… Creating symbolic links from /lib/security/ to /opt/centrify/samba/lib/security/… Creating symbolic links from /etc/pam.d/ to /opt/centrify/samba/etc/pam.d/… Creating symbolic links from /etc/logrotate.d/ to /opt/centrify/samba/etc/logrotate.d/… Creating symbolic links from /etc/samba/smbusers to /opt/centrify/samba/etc/samba/smbusers Creating symbolic links from /etc/samba/lmhosts to /opt/centrify/samba/etc/samba/lmhosts Joined to Domain: churchill1795.local Zone: Auto Zone Do you want to leave and join to another domain? [N] :N
Using (N) Remove Winbind settings (if any) from /etc/nsswitch.conf. No Winbind settings found. Removing old state files… Updating smb.conf with Centrify recommended settings… Existing file ‘/etc/centrifydc/centrifydc.conf’ is backed up as ‘/etc/centrifydc/centrifydc.conf.pre_adbindproxy’ Reset the Samba User/Group ID Cache (Centrify Samba may create conflicting mappings) [Y] :Y
Using (Y)
Init Samba start script … Restarting Samba daemons …
Warning: Unit file of centrifydc-samba.service changed on disk, ‘systemctl daemon-reload’ recommended. Restarting centrifydc-samba (via systemctl): [ OK ]
Check if SWAT symbolic link exists: /opt/centrify/samba/share/samba/swat -> /opt/centrify/samba/share/swat
Current DirectControl Configuration:
Local host name: devwebapplication-02 Joined to domain: churchill1795.local Joined as: devwebapplications-02.churchill1795.local Pre-win2K name: devwebapplicati Current DC: ad-01.churchill1795.local Preferred site: HeadOffice Zone: Auto Zone Last password set: 2015-11-10 14:22:37 GMT CentrifyDC mode: connected Licensed Features: Disabled
Current Samba Configuration:
LDAP server: x.x.x.x LDAP server name: ad.acme.local Realm: acme.LOCAL Bind Path: dc=acmedc=LOCAL LDAP port: 389 Server time: Tue, 10 Nov 2015 14:22:40 GMT KDC server: x.x.x.x Server time offset: 0
Press ENTER to continue …
Samba is now installed. OK now you need to create a folder and share it. This is a development web server so I am sharing /var/www/html, the share will be called web You need to edit the /etc/samba/smb.conf file Go to the bottom of the file and [web] comment = Apache web directory path = /var/www/html public = no valid users = +DOMAINNAME\DOMAIN_GROUPNAME writable = yes This will allow members of the group access to the directory. Because this is a systemd server you need to use systemctl to restart the services.
systemctl restart centrifydc.service
Centrify also add the applicable ini.d scripts so
service centrifydc-samba restart service centrifydc restart
The Survival Guides's Blog 