Centrify

by

Enable Centrify Agent to read UID and GID from Centrify DirectManage Access Manager

We purchased Centrify Standard and setup the DirectManage Access Manager. Next we proceed to install the client agent on the compute node.

After unpacking and installing the agent, when we do a

# getent passwd  |grep kittycool
kittycool:x:1304567321211:1304567321211:kittycool:/home/kittycool:/bin/bash
kittycool:x:10001:10001:kittycool:/home/kittycool:/bin/bash

Apparently, the getent passwd |grep kittycool is pulling both the Active Directory UID and the DirectManage Access and the user UID differs

To resolve this issue, you need to specify the zone which is used by DirectManage Access Manager, so your UID of the user will pick from the DirectManage Access Manager.

# adjoin -z cluster -u OU_Administrator  staff.mycompany.com.sg -c "staff.mycompany.com.sg/HPC/Computers"

To check it is displaying the correct UID and GID,

# getent passwd  |grep kittycool
kittycool:x:10001:10001:kittycool:/home/kittycool:/bin/bash
by

Restricting SSH Access when using Centrify-Free

To restrict users from accessing the system using Centrify free can be easily managed by using the following files

/etc/centrifydc/users.allow
/etc/centrifydc/groups.allow
/etc/centrifydc/users.deny
/etc/centrifydc/groups.deny

1. You have to manually create the the files accordingly and place it at /etc/centifydc. Next you have to  line 273 and uncomment the line

.....
pam.allow.users: file:/etc/centrifydc/users.allow
.....

If you are blocking by groups, you can likewise uncomment the

.....
pam.allow.groups: file:/etc/centrifydc/groups.allow
.....

2. Flush and Reload Centrify-Free

# adflush
# adreload

3. Add users you wish to have access into the system into /etc/centrifydc/users.allow

by

Mapping Ad account to Local Linux Group with Centrify Express on CentOS 6

Step 1. In order to add the AD User to the local User Group

adduser command is not nsswitch aware and do not recognize a user not locally defined when adding someone to a group.

# vim /etc/group
.....
.....
users:x:100:user1,user2

Step 2: Edit /etc/centrifydc/centrifydc.conf

Edit /etc/centrifydc/centrifydc.conf, uncomment and change the following parameter to true

# Merge local group membership from /etc/group into the Centrify group
# response for groups with the same name and gid.  This violates the NSS
# interface behavior and may have unexpected side effects, so it is
# disabled by default. You must run adreload to detect changes
# in the local group file.
#
adclient.local.group.merge:true

Step 3: Centrify Load and Flush

# adreload && adflush

Step 4: Check and verify.

Logon as user1

$ id -a
uid=.........gid=.......... 100(users) .....................

References:

  1. How to Add AD user local group
by

Add an Active Directory (AD) Domain Account to sudo on Centrify Express for CentOS 6

Adding a Active Directory (AD) Domain Account to /etc/sudo is fairly easy on Centrify Express for CentOS 6. Suppose you have an AD Group called “Sys_Admin”, just add it to the

.....
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%System_Admin ALL=(ALL)       ALL
.....

If it is an individual user, just get the userid from Active Directory

# getent passwd myuserid
user1:x:122:122:User1 Name:/home/user1:/bin/centrifyda

Update /etc/sudoers

.....
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%user1 ALL=(ALL)       ALL
.....

Do a final check on whether the sudo is working fine by doing

# sudo -l

Matching Defaults entries for user1 on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User user1 may run the following commands on this host:
(ALL) ALL
by

Basic Active Directory Authentication with Centrify Express for CentOS 6

Centrify Express is a comprehensive suite of free Active Directory-based integration solutions for authentication, single sign-on, remote access, file-sharing, monitoring. In this tutorial, you will learn how to install Centrify Express  on CentOS

Step 1: Downloading

Go to Centrify Agent Download site.

Click the Centrify Agent for CentOS Linux 64-bits or any Distro you are interested in

Fill up the registration form and download the centrify-suite-2012.3-rhel3-x86_64.tgz which is about 26MB

After downloading, you may wish to create a directory to unpacked the content of centrify-suite-2012.3.rhel3-x86_64.tgz

The most important is centrifydc-5.0.2-rhel3-x86_64.rpm for the basic installation. but I install the centrifydc-openssh-5.9p1-4.5.4-rhel3-x86_64.rpm as well

Step 2: Installing the packages

# rpm -Uvh centrifydc-5.0.2-rhel3-x86_64.rpm
# rpm -Uvh centrifydc-openssh-5.9p1-4.5.4-rhel3-x86_64.rpm

Step 3: Join the Server to Active Directory

# adjoin -u ou_or_domain_admin -c ou=Servers,ou=Resources,ou=IT -w company_domain
  1. The ou_or_domain_admin account should be able to join the Linux Server to the Active Directory
  2. ou=Servers,ou=Resources,ou=IT is written with ou=Servers is written with the container nearest the name of the server is written first and all the backward to the main OU

You will be prompted to  enter the password and you should see console messages some like this

userid@company_domain's password:
Using writable domain controller: server1_company_domain
Join to domain:company_domain, zone:Auto Zone successful

Step 4: To restart the Centrify AD authentication daemon

# adflush
# adreload

Step 5: To deprovision the Server from Active Directory

# adleave -u ou_or_domain_admin -r
Using writable domain controller: xxxx.xxxx.xxxx.xxxx.xxx.xxx
Centrify DirectControl stopped.