Cheat sheet for installing Centrify

This is more for me that a general help blog, the instructions are pretty good with the Centrfy product (, but there are pages and pages. I just want the salient points to get me up and running.


For those who do not know, this product allows you to join a Linux server to a Windows domain via a scripted method and with out all of the hassle trying to do it by hand. It also has a Samba element, this is what I want it for!!!!


There is much more to the enterprise product and you can do some really cool things with it, but I am happy with the free version.


You need to download the suite and Samba installs from here, the site tries its best to hide the downloads, you have to register for the download, and then it does it’s best to hide the bits you need.  To download and register use

Or you can follow this link

The express suite is for Centos is


The Samba install is


So here is the basics on the installation.

You will need some base bits

yum -y install perl
mkdir /opt/software
cd /opt/software


mkdir suite
tar -xvzf centrify-suite-2015.1-rhel4-x86_64.tgz -C suite
mkdir samba
tar -xvzf centrify-samba-4.5.9-rhel3-x86_64.tgz -C samba
cd suite


***** ***** ***** WELCOME to the Centrify Express installer! ***** ***** *****


Detecting local platform …


Running ./adcheck-rhel4-x86_64 … OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server : Pass DNSCHECK : Analyze basic health of DNS servers : Warning : Only one DNS server was found in /etc/resolv.conf. : At least one backup DNS server is recommended for : enterprise installations. : Only one good DNS server was found : You might be able to continue but it is likely that you : will have problems. : Add more good DNS servers into /etc/resolv.conf.


WHATSSH : Is this an SSH that DirectControl works well with : Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that’s configured properly : to allow AD users to login and provides Kerberos GSSAPI support. : : If you install Centrify Express or Centrify Suite : Standard or Enterprise Edition, the Centrify build of : OpenSSH will be installed automatically. Alternatively : you may choose individual Suite packages to install : with the Custom install option.


2 warnings were encountered during check. We recommend checking these before proceeding


WARNING: adcheck exited with warning(s).


With this script, you can perform the following tasks: – Install (update) Centrify Suite Enterprise Edition (License required) [E] – Install (update) Centrify Suite Standard Edition (License required) [S] – Install (update) Centrify Suite Express Edition [X] – Custom install (update) of individual packages [C]


You can type Q at any prompt to quit the installation and exit the script without making any changes to your environment.


How do you want to proceed? (E|S|X|C|Q) [X]:X


The Express mode license allows you to install a total of 200 agents. The Express mode license does not allow the use of licensed features for advanced authentication, access control, auditing, and centralized management. This includes, but is not limited to features such as SmartCard authentication, DirectAuthorize, DirectAudit, Group Policy, Login User Filtering, and NSS overrides.


Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:Y



Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:Y


Please enter the Active Directory domain to check []:acme


Join an Active Directory domain? (Q|Y|N) [Y]:Y


Enter the Active Directory domain to join [acme]:acme.local


Enter the Active Directory authorized user [administrator]:Administrator


Enter the password for the Active Directory user:


Enter the computer name [server-01]:Enter


Enter the container DN [Computers]: Enter Enter the name of the domain controller [auto detect]:Enter


Reboot the computer after installation? (Q|Y|N) [Y]:Y


You will get a confirmation screen


Please enter the Active Directory domain to check []: acme Join an Active Directory domain? (Q|Y|N) [Y]:Y Enter the Active Directory domain to join [churchill1795]: acme.local Enter the Active Directory authorized user [administrator]: Administrator Enter the password for the Active Directory user: Enter the computer name [server-01]: Enter the container DN [Computers]: Enter the name of the domain controller [auto detect]: Reboot the computer after installation? (Q|Y|N) [Y]:Y


You chose Centrify Suite Express Edition and entered the following: Install CentrifyDC 5.2.3 package : Y Install CentrifyDC-nis 5.2.3 package: N Install CentrifyDC-openssh 5.2.3 package: Y Install CentrifyDC-ldapproxy 5.2.3 package: N Install CentrifyDA 3.2.3 package: N Run adcheck : Y Join an Active Directory domain : Y Active Directory domain to join : acme.local Active Directory authorized user : Administrator computer name : server-01 container DN : Computers domain controller name : auto detect Reboot computer : Y


If this information is correct and you want to proceed, type “Y”. To change any information, type “N” and enter new information. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:Y

  The installation will start and the sever will reboot if successful. To avoid any errors when installing the samba install you need some bits

yum -y install cups


cd /opt/software/samba
 rpm -i centrifydc-samba-3.6.25-4.5.9-rhel3-x86_64.rpm
rpm -i centrifydc-adbindproxy-4.5.9-rhel3-x86_64.rpm
perl /usr/share/centrifydc/bin/ is used to configure the Centrify custom Samba build to interoperate with Centrify’s DirectControl product. It checks if the machine is joined to an AD domain. If not, it will prompt for the join operation. It also updates smb.conf and tdb files.


For security reason, you will be prompted for password several times in order to perform different AD operations when running this script.


Please specify Centrify Samba’s path if it is not in [/opt/centrify/samba/] :Enter



Using (/opt/centrify/samba/) The Samba base path is : /opt/centrify/samba/ Looking for conflicting Samba installations… No conflicting Samba found. Do you want to create symbolic links from /usr to /opt/centrify/samba/ [Y] : Y


Using (Y) Creating symbolic links from /usr/sbin/ to /opt/centrify/samba/sbin/… Creating symbolic links from /usr/bin/ to /opt/centrify/samba/bin/… Creating symbolic links from /usr/lib64/ to /opt/centrify/samba/lib/… Creating symbolic links from /lib/security/ to /opt/centrify/samba/lib/security/… Creating symbolic links from /etc/pam.d/ to /opt/centrify/samba/etc/pam.d/… Creating symbolic links from /etc/logrotate.d/ to /opt/centrify/samba/etc/logrotate.d/… Creating symbolic links from /etc/samba/smbusers to /opt/centrify/samba/etc/samba/smbusers Creating symbolic links from /etc/samba/lmhosts to /opt/centrify/samba/etc/samba/lmhosts Joined to Domain: churchill1795.local Zone: Auto Zone Do you want to leave and join to another domain? [N] :N


Using (N) Remove Winbind settings (if any) from /etc/nsswitch.conf. No Winbind settings found. Removing old state files… Updating smb.conf with Centrify recommended settings… Existing file ‘/etc/centrifydc/centrifydc.conf’ is backed up as ‘/etc/centrifydc/centrifydc.conf.pre_adbindproxy’ Reset the Samba User/Group ID Cache (Centrify Samba may create conflicting mappings) [Y] :Y


Using (Y)


Init Samba start script … Restarting Samba daemons …


Warning: Unit file of centrifydc-samba.service changed on disk, ‘systemctl daemon-reload’ recommended. Restarting centrifydc-samba (via systemctl): [ OK ]


Check if SWAT symbolic link exists: /opt/centrify/samba/share/samba/swat -> /opt/centrify/samba/share/swat


Current DirectControl Configuration:


Local host name: devwebapplication-02 Joined to domain: churchill1795.local Joined as: devwebapplications-02.churchill1795.local Pre-win2K name: devwebapplicati Current DC: ad-01.churchill1795.local Preferred site: HeadOffice Zone: Auto Zone Last password set: 2015-11-10 14:22:37 GMT CentrifyDC mode: connected Licensed Features: Disabled


Current Samba Configuration:


LDAP server: x.x.x.x LDAP server name: ad.acme.local Realm: acme.LOCAL Bind Path: dc=acmedc=LOCAL LDAP port: 389 Server time: Tue, 10 Nov 2015 14:22:40 GMT KDC server: x.x.x.x Server time offset: 0


Press ENTER to continue …


Samba is now installed.   OK now you need to create a folder and share it. This is a development web server so I am sharing /var/www/html, the share will be called web   You need to edit the /etc/samba/smb.conf file   Go to the bottom of the file and [web] comment = Apache web directory path = /var/www/html public = no valid users = +DOMAINNAME\DOMAIN_GROUPNAME writable = yes   This will allow members of the group access to the directory.   Because this is a systemd server you need to use systemctl to restart the services.

systemctl restart centrifydc.service


Centrify also add the applicable ini.d scripts so


service centrifydc-samba restart
service centrifydc restart





Creating a NFS CENTOS 6 Linux target server

We have some old kit and and I have a Friday free now and we need a development environment to get a few things working.

So I decided to embark on  a vmware server and storage build. All of course without spending any money 🙂 (well on software anyway)

So I have 2 HP GL something servers for the vmware environment, a DL server to act as the iscii storage server and a 14 disk array that can be connected via a direct HBA fibre connect. All sounds good.

The idea is to software RAID the disk array, present the array to the storage server which will server this out as an iscii connection via direct connected bonded Ethernet cards.

The first thing that I though would be the easiest bit was to create the RAID array. This turned out not to be the case, but when you see the solution DOH!!!!!

Linux OS is CENTOS 6.3

I know you may wonder why I did not use FreeNAS or NAS4Free. I did try, but the hardware was not compatible. It would not even boot, so I could not even go after some fixes.

So onto the install.

First find out what the disks are called.

fdisk -l

Will display a long list look for something like


Armed with this information

fdisk -l | grep /dev/sd

This will list all of the disks. In my case /dev/sda —> /dev/sdm

To make sure all of the disks have no partition you can use various tools such as fdisk. Good tutorial How to delete a partion here. I used cfdisk. There is a menu with it so you do not have to remember the switches 🙂

cfdisk /dev/sd*

Delete any partitions and save and exit. Do this for all the disks that you want to put into the array.

Now to create the array. I am creating a RAID 6 array with 2 spare disks. They are old disk. Need a bit of guarantee regarding the condition.

A good mdam write up is actually in wikipedia of all places Mdadm

mdadm --create --verbose /dev/md0 --level=6 --raid-devices=12 /dev/sda /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf /dev/sdg /dev/sdh /dev/sdi /dev/sdj /dev/sdk --spare-devices=2 /dev/sdl /dev/sdm

I got this error mdadm: super1.x cannot open /dev/sdb1: Device or resource busy mdadm: ddf: Cannot use /dev/sdb1: Device or resource busy Not sure why you can get this, but basically it looks like some of the disks have a RAID configuration and are being held by the OS. To discover if this is the case

cat /proc/mdstat

This will list what RAID has got hold of the disks. A good chance if will be md127. To get rid of this

mdadm --stop /dev/<mdxxx>

Where xxx is the RAID number found in the cat command above. Once you have stopped the RAID, issue the mdadm –create command

This will start the creation of the RAID array. Depending on the size and speed this could take hours. To determine if the RAID is creating then

cat /proc/mdstat

You will get something along the lines of

cat /proc/mdstat
Personalities : [raid6] [raid5] [raid4]
md0 : active raid6 sdm[12](S) sdl[11](S) sdk[10] sdj[9] sdi[8] sdh[7] sdg[6] sdf[5] sde[4] sdd[3] sdc[2] sdb[1] sda[0]
1290359808 blocks super 1.2 level 6, 512k chunk, algorithm 2 [11/11] [UUUUUUUUUUU]
[======>…………..] resync = 32.7% (46917760/143373312) finish=175.3min speed=9168K/sec

unused devices: <none>

Once you have the RAID array created its time to create a file system and mount it and also make sure that the RAID starts when the system is re-booted

mdadm --detail --scan >> /etc/mdadm.conf

OK another area of investigation, what is the best Linux file system. Well as will all things it depends on what you need it for. The storage is for VMware files. These will be 10GB–50GB flat files and therefore I am going to try out the xfs file system which is supposed to be good and fast for the larger files.

Ok some thing strange happened, I had to reboot the server and the /dev/md0 became /dev/md127, no idea why, and I just wanted to get it finished.

You now need to create a logical volume, this will allow you to mount the disk

#create a volume group named “vg_target00”

vgcreate -s 32M vg_target00 /dev/md0

# create a logical volume named “lv_target00”

lvcreate -L 130G -n lv_target00 vg_target00

This creates it for all of the volume

lvcreate -l 100%VG -n lv_target00 vg_target00

This area got a bit fuzzy and the exact order may need to change, I tried to keep notes around this element, but I tried many different bits. One this is for sure though if you use xfs files system then to avoid the following error you need to install the correct packages

You may get the following error

bash: mkfs.xfs: command not found

Some bits and pieces were needed

yum install xfsdump xfsprogs
mkdir /mnt/storage

To make the file system

mount -t xfs /dev/vg_target00/lv_target00 /mnt/storage

mkfs -t xfs -f /dev/vg_target00/lv_target00

This will now have mounted it. To make this a permanent mount then you need to add a line to fstab

vi /etc/fstab
/dev/vg_target00/lv_target00 /mnt/storage       xfs     defaults        0 0

OK we now have the disk array prepared, we now need the connectivity to sort out. I installed a 4 port NIC card in the server, I will bond two port together to give me direct access to the two servers. Bonding the ports together will I hope give me enough throughput for some decent performance. To determine what nic you have

ls sysconfig/network-scripts/

This will list something along the lines of

ifcfg-eth0 ifcfg-eth5 ifdown-ippp ifdown-routes ifup-bnep ifup-plip ifup-sit network-functions
ifcfg-eth1 ifcfg-lo ifdown-ipv6 ifdown-sit ifup-eth ifup-plusb ifup-tunnel network-functions-ipv6
ifcfg-eth2 ifdown ifdown-isdn ifdown-tunnel ifup-ippp ifup-post ifup-wireless
ifcfg-eth3 ifdown-bnep ifdown-post ifup ifup-ipv6 ifup-ppp init.ipv6-global
ifcfg-eth4 ifdown-eth ifdown-ppp ifup-aliases ifup-isdn ifup-routes net.hotplug

The NIC cards I am interested in are ifcfg-eth2, ifcfg-eth3, ifcfg-eth4 and ifcfg-eth5. There is one note, many of the tutorials that I read specified changing the modprobe.conf file. This appears to be have been depreciated and now all the .conf files can be created in /etc/modprobe.d

So lets start we will have bond0 and bond1.

Just a note on the IP addresses that we will use. As we are direct connecting the servers, I am going to to configure the network too two IP hosts per connection


bond0  details (server)


bond0  details (client)


bond1  details (server)


bond1  details (client)


You need ethtool installed to allow bonding NIC to work

yum install ethtool

Bond0 creation

 echo "DEVICE=bond0"  >/etc/sysconfig/network-scripts/ifcfg-bond0
 echo "IPADDR="  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "NETWORK="  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "NETMASK="  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "USERCTL=no"  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0

Bond1 creation

echo "DEVICE=bond1"  >/etc/sysconfig/network-scripts/ifcfg-bond1
echo "IPADDR="  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "NETWORK="  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "NETMASK="  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "USERCTL=no"  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond1

OK we now need to tell the NIC ports to belong to the bond

vi /etc/sysconfig/network-scripts/ifcfg-eth3

My current config looks like this


We need to change it to the following


This needs to be done for all of the ports and bonds.

Once this is done, you need to start the bonds, to do this create a bonding.conf file. There are many difference bonding modes these are described in the Tips and tricks for bonding interfaces.

I want to balance my NIC to get the best throughput so I an using mode 5

echo "alias bond0 bonding" > /etc/modprobe.d/bonding.conf
echo "options bond0 mode=5 miimon=100" >> /etc/modprobe.d/bonding.conf
echo "alias bond1 bonding" >> /etc/modprobe.d/bonding.conf
echo "options bond1 mode=5 miimon=100" >> /etc/modprobe.d/bonding.conf

We now need to add this to the kernel (not sure exactly what this means but taken from all the tutorials read this is what you have to do)

modprobe bonding

Okay the last this that I want to is present the disk so that the servers can use it. I tried iscii at the start but this really did not work in our environment, so I opted for NFS. So this is how I think I got this working, there was a mix of iscii and NFS going on so this maybe a little inaccurate, but it will get you most of the way there :).

yum -y install nfs-utils rpcbind

chkconfig nfs on
chkconfig rpcbind on
chkconfig nfslock on

The two line below referrer to the networks that servers will be allowed to access the NFS shares from. For security I would keep this as small as possible and due to the namture an amount of traffic should be on a separate network.

vi /etc/exports

exportfs -a

I have compiled this almost how to guide from the resources below

Create an RPM build environment

I am trying to get the Java onto a Centos 5.5 server. The rpm install appears to work but when trying to get a particular app to install it fails.

I then came accross the Centos Wiki on how to install it.

The front end to this though is building an envronment to build the rpm.

NOTE: you will need another user for part of this process setup as rpmbuild should not be done as root.

The full instructions can be found here

As root

yum install -y rpm-build gcc gcc-c++ redhat-rpm-config
yum install jpackage-utils

As not root user

mkdir -p ~/rpmbuild/{SOURCES,SRPMS,SPECS,RPMS,tmp,BUILD}

This creates the build environment. See here for the java build but it will give you an idea of what is required.

Chroot SFTP connection

With the new version of OPENSSH CHRoot has become was easier, with the user of ChrootDirectory

For this example we will user the following

username – sftpuser

group – sftponly

Ensure the latest OPENSSH is installed a guide can be found here

cd /etc/ssh

vi sshd_config

Navigate to the bottom

comment out any Subsytem lines and add the following

Subsystem       sftp    internal-sftp

Macth Group sftponly    sftponly is the group name that you have allocated and want to limit access to

ChrootDirectory %h

ForceCommand internal-sftp

AllowTcpForwarding no

My file looks like this

# override default of no subsystems
#Subsystem      sftp    /usr/local/libexec/sftp-server
Subsystem       sftp    internal-sftp

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

Match Group sftponly
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory %h

Save and exit the file

groupadd sftponly
chown root:root /home
chmod 755 /home


useradd sftpuser

usermod -g sftponly sftpuser
usermod -s /bin/false sftpuser
usermod -d /home/sftpuser sftpuser
passwd sftpuser

To create the jail

chmod 755 /home/sftpuser
chown root:root /home/sftpuser
mkdir /home/sftpuser/xxxxx     where xxxxx is a directory name of your choice
chown sftpuser:sftponly /home/sftpuser/xxxxx

to see if this works

ssh sftpuser@x.x.x.x

It will prompt for a password, it should allow the password and then close the session down

sftp sftpuser@x.x.x.x

It will prompt for a password and then take you to the home directory, you must cd into the directory created to put files.


You often need to have the user logon seamlessly from another system.

For this to happen make sure the same user is set up on the remote system


ssh-keygen -t rsa

Press enter for the default option to storing the key in the home directory and do not enter a pass phrase

This key then needs to be copied to the server that has just beem CHROOTED

cat /home/xxxxx/.ssh/ | ssh xxxx@server ‘cat >> /home/xxxxx/.ssh/authorized_keys’

cat /home/xxxxx/.ssh/ | ssh xxxx@server ‘cat >> /home/xxxxx/.ssh/authorized_keys2’

Some system need the authorized_keys2 file, a good explanation of this process can be found here


This in one of the areas that can be a pain in the arse, drop me a line if you need help or have some more to add to this post. There are a lot of people out there wanting to do this based on the hits on this particular blog.



Installing OpenSSH 5.8 Centos 5.5

I needed to CHroot an SFTP connection and wanted to use the latest OPENSSH package. I am running CentOS 5.5 and there is no rpm available.

So using the following instructions created my own. It appears that you may be able to do this with most sources. One thing to not is that you will need the prerequisites to install the rpm, so reading the readme or install instructions of the original source is a must.

The RPM creation was taken from the following site and works perfectly.

Download the relevant openshh source from which ever mirror site you want a list can be found here

I downloaded the 5.8p2 version which was the latest at the time

There are some prereques for an RPM build

yum install gcc
yum install openssl-devel
yum install pam-devel
yum install rpm-build

I then removed the older version of openssh. I am not sure if this is needed but I read on one blog that it was ???

yum erase openssh

Please note you will not be able to create a new ssh connection once this has been done

mkdir /software
cd /software
gzip -d openssh-5.8p2.tar.gz
tar -xvf openssh-5.8p2.tar.gz
cp openssh-5.8p2/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
gzip openssh-5.8p2.tar

From a comment it looks like I put a bit of a typo in here

cp openssh-5.2p1.tar.gz /usr/src/redhat/SOURCES/

Should read

cp openssh-5.8p2.tar.gz /usr/src/redhat/SOURCES/
cd /usr/src/redhat/SPECS
perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec

rpmbuild -bb openssh.spec
 cd /usr/src/redhat/RPMS/`uname -i

ls -l should display 3 rpm files

OPENSSH relies on the following to be installed also zlib and openssl

zlib can be found here 1.2.5 was the latest release at the time of writing

cd /software
gzip -d zlib-1.2.5.tar.gz
tar -xvf zlib-1.2.5.tar
cd zlib-1.2.5.tar
make install

open ssl can be found here  at the time of writing 0.9.8 was the latest release

gzip - d openssl-0.9.8r.tar.gz
tar -xvf openssl-0.9.8r.tar
cd openssl-0.9.8r
make install
cd /usr/src/redhat/RPMS/`uname -i
rpm -Uvh openssh*rpm

This will install the latest ssh

service sshd restart

Will test if this has worked.

How to CHroot can be found here