Active Directory

by

Automating the Linux Client Server for Centrify and 2FA on Rocky Linux 8

The whole manual setup including those on the Active Directory can be found at Preparing a Linux Client Server for Centrify and 2FA for CentOS-7

If you just want to automate the Linux portion, here is something you may wish to consider.

Update the sshd_config Templates (The most important portion is that the “PasswordAuthentication no” and “ChallengeResponseAuthentication yes” is present. The whole sshd_config template is too large for me to put into the blog. 

.....
.....
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
.....
.....
- name: Generate /etc/ssh/sshd_config from /etc/ssh/sshd_config.j2 template
  template:
      src: ../templates/sshd_config.j2
      dest: /etc/ssh/sshd_config
      owner: root
      group: root
      mode: 0600
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

- name: Restart SSH Service
  systemd:
    name: sshd
    state: restarted
    enabled: yes
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"
  changed_when: false

Here is Centrify_2FA.yml to insert the IWaTrustRoot.pem certificate

- name: Copy IwaTrustRoot.pem to /etc/pki/ca-trust/source/anchors/
  template:
      src: /usr/local/software/certificate/IwaTrustRoot.pem
      dest: /etc/pki/ca-trust/source/anchors/
      owner: root
      group: root
      mode: 0600
  become: true
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

- name: Copy IwaTrustRoot.pem to /var/centrify/net/certs
  template:
      src: /usr/local/software/certificate/IwaTrustRoot.pem
      dest: /var/centrify/net/certs
      owner: root
      group: root
      mode: 0600
  become: true
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

Restart the CentrifyDC and do a Flush so that the AD is updated.

- name: CentrifyDC Restart
  ansible.builtin.shell: "/usr/share/centrifydc/bin/centrifydc restart"
  register: centrifydc_status
  changed_when: false

- name: Active Directory Flush
  ansible.builtin.shell: "adflush -f"
  register: flush_status
  changed_when: false

- name: Centrify Service Restarted
  debug:
    msg: "Load Average: {{ centrifydc_status.stdout }}"
by

Protecting Centrify Zones from accidental deletion on Active Directory

If you have been using Centrify for some time, Centrify store Zones and other objects within the Active Directory (AD) or OU. One question always surface, how to protect the objects from accidental deletion. There are 2 ways. The first way is the easiest way.

Method 1: (via Manual Way to disable ‘accidental deletion’ for specific AD object only):

  1. Ask your System Administrator or OU Administrator to open up the “Active Directory Users and Computers” application.
  2. 2Navigate to your intended AD object (or any AD object like your ‘Zone’).
  3. 3) Right-click on your intended AD object, and select ‘Properties’.
  4. 4) Click on the ‘Object’ tab.
  5. 5) Ensure to check the checkbox of ‘Protect object from accidental deletion’.
  6. 6) Click the ‘Apply’ and then the ‘Ok’ button to confirm the changes.

Method 2: (via Powershell to disable ‘accidental deletion for all objects under specified OU ):

1) Ask your System Administrator to open up the ‘Power Shell’ application.

2) For the command below modify the ‘distingushedName’ (DN name) so that it points to the OU relevant to your domain. The below command will set this for all objects in the specified OU:

    Powershell: Get-ADobject -Filter * -SearchBase “{DN_Name}” | Set-adobject -ProtectedFromAccidentalDeletion $true

    Example Command (for centrify  ‘Zone’ OU):: Get-ADobject -Filter * -SearchBase “CN=Zones,CN=Centrify,CN=Program Data,DC=win16org22,DC=pmm” | Set-adobject -ProtectedFromAccidentalDeletion $true

(Take Note; In order to attain the DN name, Right-click on your intended AD object, > select ‘Properties > and Click on the ‘Attribute Editor’ tab > Click on the ‘distinguishedName’ column > Copy the DN name and paste it in the PowerShell command specified above)

(Take Note: This creates a “deny” for deletion of all the objects under the specified OU. Now whoever tries to delete this will generate an event. Hence, the user will have to remove this permission before the object can be deleted.)

by

Preparing a Linux Client Server for Centrify and 2FA for CentOS-7

Preliminary Notes:

You have to setup a Cloud Tenant from Centrify by registering an email with Centrify or Centrify Authorised Reseller.

Once the Tenant has been setup, the login link should have been sent to the email you have provided.

You will need to setup the 2FA Connector VM on premise. The recommended specification of the connectors. Port 443 should be opened for the VM.

  • 4 Core; 8GB RAM; 100 GB HDD; Windows 2016 or later

At the Active Directory

  1. Create UNIX computer group in AD if not already created
  2. Add the UNIX computers that will require 2FA to the UNIX group
  3. Create a UNIX Users group if not already created
  4. Add Users that will require 2FA to the UNIX user group
  5. Add the IWA root CA Certificate to the Centrify GPO. The IWA Certificate can be downloaded from the Centrify cloud but the connector needs to be setup first before we can download the IWA Certificate.

At the CentOS Server

Copying the IwaTRustRoot.pem Certificate to CentOS Linux Server

  1. Change the extension of the IWA certificate that was downloaded from .cer to .pem
  2. For CentOS, please copy the certificate to this location /etc/pki/ca-trust/source/anchors/ in the test server.
  3. Copy the cert to /var/centrify/net/certs as well

Configure the SSH settings

# vim /etc/ssh/sshd_config
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no


# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes

Restart the SSHD Services

# systemctl restart sshd.service

Restart the Centrifydc services


# /usr/share/centrifydc/bin/centrifydc restart

Active Directory Flush

# adflush -f

Centrify Access Manager

At Centrify Access Manager, do add the MFA Users to require MFS for Login and UNIX Login in the required Computer. See Pix

Further notes:

  1. Automating the Linux Client Server for Centrify and 2FA on Rocky Linux 8
by

Delinea announces support for AlmaLinux and Rocky Linux

Finally, Delinea (Centrify) has added support for RHCOS, AlmaLinux x86_64, Rocky Linux. Good news indeed

As we continue to bolster our PAM solutions for Linux, the latest release of Server Suite adds support for RHCOS, AlmaLinux x86_64, and Rocky Linux.

Red Hat Enterprise Linux CoreOS (RHCOS) is a container-optimized operating system for running containers at scale. Both Rocky Linux and AlmaLinux are binary-compatible with Red Hat Enterprise Linux (RHEL) and have emerged as a viable alternative to CentOS.

………

Delinea announces support for AlmaLinux and Rocky Linux
by

How to uninstall Centrify agent on Unix/Linux platforms?

As root or sudo, open a terminal and navigate to the folder where Centrify was first installed (typically /usr/share/centrifydc/bin) . On most Centrify DirectControl-managed systems, you can remove the Centrify DirectControl Agent and related files by running the uninstall.sh script.
as follows:

/bin/sh /usr/share/centrifydc/bin/uninstall.sh

For example:

Do you want to uninstall the CentrifyDC-5.8.1 package from this computer? (Q|Y|N) [N]:N

References

KB-1780: How to uninstall Centrify agent on Unix/Linux platforms?

by

Centrify Client goes into disconnect mode

The article is taken from Centrify Knowledge Base (KB-1425): adclient goes into “disconnected mode”

Causes

There are several reasons why adclient can goes into disconnect mode. According to the article, it could be due to

  • Replication Delays
  • Expired Computer Password or not renewed or out of sync

Solution:

In Linux, you can restart the Centrify DirectControl Service

# /etc/init.d/centrifydc restart
Stopping Centrify DirectControl:                           [  OK  ]
Starting Centrify DirectControl:                           [  OK  ]
adclient state is: connected

OR you can reset computer object on UNIX/LINUX client:

# adkeytab -r -u administrator@yourdomain.com

Notes:

Machine password renewal can be turned off (for testing purposes only) in /etc/centrifydc/centrifydc.conf by making the following change and running adreload. (Default is 28 days)

adclient.krb5.password.change.interval: 0

by

Implementing Docker Group using Centrify

Why Privilege Access For Docker Container?

Taken from Centrify HOWTO: Secure container/docker environments by managing privileges for admins and users

“To perform any docker operation, you need to either be root or part of a local group, ‘docker’, on your Linux machine. Why is that? Because access into a docker container is via a UNIX socket and any socket related operations require the user to have privileged access. ‘Docker’ group membership is sufficient for all container operations, exception is starting the docker daemon itself, which must always run as the root user.”

Step 1:

We need to create a group called Docker and put in the necessary members

Step 2: Verify the permission of the Linux Server

# ls -lZ /var/run/docker.sock
srw-rw----. root root system_u:object_r:container_var_run_t:s0 /var/run/docker.sock
# getenforce
Permissive

Step 3: Change Owner of the Docker

# chown root:docker /var/run/docker.sock

Step 4: Test the change permission issues

[user1@node1 ~]$ docker search openfoam
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/openfoamplus/of_v30plus_rhel66 Offical image of OpenFOAM+ (v3.0+) provide... 8
docker.io docker.io/openfoamplus/of_v1606plus_centos66 Offical image of OpenFOAM+ (v1606+) provid... 6
docker.io docker.io/openfoam/openfoam5-paraview54 Image of OpenFOAM v5 and ParaView 5.4.0 on... 5
docker.io docker.io/openfoam/openfoam6-paraview56 Image of OpenFOAM v6 and ParaView 5.6.0 on... 5
docker.io docker.io/openfoamplus/of_v1612plus_centos66 Offical image of OpenFOAM+ (v1612+) provid... 5
docker.io docker.io/openfoam/openfoam7-paraview56 Image of OpenFOAM v7 and ParaView 5.6.0 on... 4
docker.io docker.io/openfoamplus/of_v1706_centos73 Offical image of OpenFOAM(v1706) provided ... 4
docker.io docker.io/openfoamplus/of_v1712_centos73 Offical docker image of OpenFOAM(v1712) pr... 4
docker.io docker.io/openfoam/openfoam6-paraview54 Image of OpenFOAM v6 and ParaView 5.4.0 on... 3
docker.io docker.io/openfoamplus/of_v1812_centos73 Offical docker image of OpenFOAM(v1806) pr... 3
docker.io docker.io/openfoamplus/of_v1806_centos73 Offical docker image of OpenFOAM(v1806) pr... 2
docker.io docker.io/openfoamplus/of_v1906_centos73 Official docker image of OpenFOAM(v1906 ve... 2
docker.io docker.io/dicehub/openfoam OpenFOAM image for use in DICE (Dynamic In... 1
docker.io docker.io/openfoam/openfoam-dev-graphical-apps OpenFOAM-dev on Ubuntu 16.04 using the ope... 1
docker.io docker.io/openfoam/openfoam-dev-paraview54 OpenFOAM-dev and ParaView 5.4.0 on Ubuntu ... 1
docker.io docker.io/openfoam/openfoam-dev-paraview56 Image of OpenFOAM-dev and ParaView 5.6.0 o... 1
docker.io docker.io/openfoam/openfoam4-paraview50 Image of OpenFOAM v4 and ParaView 5.0.1 on... 1
docker.io docker.io/openfoam/openfoam5-graphical-apps Image of OpenFOAM v5 on Ubuntu 16.04 from ... 1
docker.io docker.io/openfoam/openfoam6-graphical-apps Image of OpenFOAM v6 on Ubuntu 18.04 from ... 1
docker.io docker.io/unifem/openfoam-ccx Docker Image for OpenFOAM and Calculix 1 [OK]
docker.io docker.io/nerdalize/openfoam This image makes it easy to run OpenFOAM o... 0 [OK]
docker.io docker.io/openfoam/openfoam-dev-paraview50 OpenFOAM-dev and ParaView 5.0.1 on Ubuntu ... 0
docker.io docker.io/parallelworks/openfoam OpenFOAM 0
docker.io docker.io/parallelworks/openfoam240_pvpython OpenFOAM240 with Python Paraview 0
docker.io docker.io/parallelworks/openfoam4 OpenFOAM Base Container 0

References:

  1. HOWTO: Secure container/docker environments by managing privileges for admins and users
  2. How to fix docker: Got permission denied while trying to connect to the Docker daemon socket
by

Useful Commands for Centrify Suite

Taken from [TIPS] A Centrify Server Suite Cheat Sheet

BASIC Troubleshooting

Pt 1. To check the general status of the client

$ adinfo
Local host name: xxx
Joined to domain: xxx.com
Joined as: xxx
Pre-win2K name: xxx
Current DC: xxx
Preferred site: NTU-Site
Zone: xxx
Last password set: 2019-07-24 06:29:08 +08
CentrifyDC mode: connected
Licensed Features: Enabled

Pt 2. To see the corresponding Centrify Suite Version

$ adinfo --suite-version
adinfo (CentrifyDC 5.5.0-200)
Centrify Server Suite 2018

Pt 3. To view Active Directory connectivity to the current domain

$ adinfo --test
Domain Diagnostics:
Domain:
DNS query for:
DNS query for:
Testing Active Directory connectivity:
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good

Pt 4: To see the current joined Centrify zone

$ adinfo --zone
xxx.com/MyOU/Centrify/Zones/Global

ADVANCED / TROUBLESHOOTING Information

Pt 5: To check the status of the DNS cache and stats

$ adinfo --diag dns
adinfo (CentrifyDC 5.5.0-200)
Host Diagnostics
uname: Linux hpc-gekko1 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64
OS: CentOS
Version: 7.0
Number of CPUs: 32
…..
…..

Pt 6: To check network connectivity statistics

$ adinfo --sysinfo netstate
System Diagnostic
===============Network State===================
Site Map
com.sg=>PreferredSite:XXX.com, SubnetSite:XXX-Site
Domain Map
…
…
state: alive
swept: 21 mins ago
...

Pt 7: To see the status of the AD computer trust relationship

$ adinfo --sysinfo adagent
System Diagnostic
===================adagent internals===================
Binding Table
$=>main11.main.ntu.edu.sg(MAIN.NTU.EDU.SG) connected
xxx.com=>xxx.com disconnected
xxx1=>xxx1.com disconnected
xxx2=>xxx2.com connected
xxx3=>xxx3.com connected

TESTING Credentials Information

$ adinfo -A --user myuserid
Active Directory password:
...