July 21, 2024 by kittycool only

SSL connection error For Delinea MFA with DirectControl

Muco of the Troubleshooting comes from the Knowledgebase Article is derived from KB-8958: MFA with DirectControl fails with SSL connection error and Preparing a Linux Client Server for Centrify and 2FA for CentOS-7

Problem :

When attempting to log in with a user that requires MFA the following error is presented:

$ ssh user@192.168.0.1
SSL Connection Error

Cause:

The error is likely due to a certificate problem. A required certificate may be missing or the permission may not be set correctly

How to check:

# /usr/share/centrifydc/bin/adcdiag

VERSION   : Verify that DirectControl version supports MFA               : Pass
JOINSTATE : Verify that DirectControl is in connected mode               : Pass
ZONECHK   : Verify that MFA is supported in the zone                     : Pass
SSHDCFG   : Verify that SSHD enables ChallengeResponseAuthentication     : Warning
          : Cannot read sshd configuration file. Probably you are not
          : using Delinea openssh. SSH login for MFA users will fail if
          : option ChallengeResponseAuthentication is not set to yes.
          : Please check and ensure ChallengeResponseAuthentication is
          : set to yes in sshd configuration file.
CDCCFG    : Verify that MFA options in centrifydc.conf are correct       : Pass
PROXYCFG  : Verify that HTTP proxy configuration is set properly         : Pass
CLDINST   : Verify that trusted Identity Platform instance is specified  : Pass
          : Successfully connected to Identity Platform and certificate
          : has been verified OK.
CNTRCFG   : Verify that Connectors are configured correctly              : Pass
CURCNTR   : Verify that DirectControl has selected a workable Connector  : Pass
CLOUDROLE : Verify that this machine has permissions to perform Identity
          : Platform authentication                                      : Pass
......
......
......

Check the Logs at /var/centrify/tmp…. You may notice some errors like

.....
.....
ERROR:
Not a trusted connector or no valid connector certificate installed locally.
SUGGESTIONS:
1. Verify that the IWA root CA certificate is installed in the system. Please refer to KB-7393 on how to configure the root CA certificate in the system.
2. Please collect connector log if you need Delinea support.
.....
.....

Resolution:

Check whether the Certificates have been added at

/etc/pki/ca-trust/source/anchors/
/var/centrify/net/certs

Check the SSH Settings at

# vim /etc/ssh/sshd_config

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no


# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes

Restart the SSHD Services

# systemctl restart sshd.service

Restart the Centrifydc services

# /usr/share/centrifydc/bin/centrifydc restart

Active Directory Flush and Reload

# adflush -f
# adreload

August 11, 2023 by kittycool only

Automating the Linux Client Server for Centrify and 2FA on Rocky Linux 8

The whole manual setup including those on the Active Directory can be found at Preparing a Linux Client Server for Centrify and 2FA for CentOS-7

If you just want to automate the Linux portion, here is something you may wish to consider.

Update the sshd_config Templates (The most important portion is that the “PasswordAuthentication no” and “ChallengeResponseAuthentication yes” is present. The whole sshd_config template is too large for me to put into the blog.

.....
.....
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
.....
.....

- name: Generate /etc/ssh/sshd_config from /etc/ssh/sshd_config.j2 template
  template:
      src: ../templates/sshd_config.j2
      dest: /etc/ssh/sshd_config
      owner: root
      group: root
      mode: 0600
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

- name: Restart SSH Service
  systemd:
    name: sshd
    state: restarted
    enabled: yes
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"
  changed_when: false

Here is Centrify_2FA.yml to insert the IWaTrustRoot.pem certificate

- name: Copy IwaTrustRoot.pem to /etc/pki/ca-trust/source/anchors/
  template:
      src: /usr/local/software/certificate/IwaTrustRoot.pem
      dest: /etc/pki/ca-trust/source/anchors/
      owner: root
      group: root
      mode: 0600
  become: true
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

- name: Copy IwaTrustRoot.pem to /var/centrify/net/certs
  template:
      src: /usr/local/software/certificate/IwaTrustRoot.pem
      dest: /var/centrify/net/certs
      owner: root
      group: root
      mode: 0600
  become: true
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

Restart the CentrifyDC and do a Flush so that the AD is updated.

- name: CentrifyDC Restart
  ansible.builtin.shell: "/usr/share/centrifydc/bin/centrifydc restart"
  register: centrifydc_status
  changed_when: false

- name: Active Directory Flush
  ansible.builtin.shell: "adflush -f"
  register: flush_status
  changed_when: false

- name: Centrify Service Restarted
  debug:
    msg: "Load Average: {{ centrifydc_status.stdout }}"

February 15, 2023 by kittycool only

Preparing a Linux Client Server for Centrify and 2FA for CentOS-7

Preliminary Notes:

You have to setup a Cloud Tenant from Centrify by registering an email with Centrify or Centrify Authorised Reseller.

Once the Tenant has been setup, the login link should have been sent to the email you have provided.

You will need to setup the 2FA Connector VM on premise. The recommended specification of the connectors. Port 443 should be opened for the VM.

4 Core; 8GB RAM; 100 GB HDD; Windows 2016 or later

At the Active Directory

Create UNIX computer group in AD if not already created
Add the UNIX computers that will require 2FA to the UNIX group
Create a UNIX Users group if not already created
Add Users that will require 2FA to the UNIX user group
Add the IWA root CA Certificate to the Centrify GPO. The IWA Certificate can be downloaded from the Centrify cloud but the connector needs to be setup first before we can download the IWA Certificate.

At the CentOS Server

Copying the IwaTRustRoot.pem Certificate to CentOS Linux Server

Change the extension of the IWA certificate that was downloaded from .cer to .pem
For CentOS, please copy the certificate to this location /etc/pki/ca-trust/source/anchors/ in the test server.
Copy the cert to /var/centrify/net/certs as well

Configure the SSH settings

# vim /etc/ssh/sshd_config

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no


# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes

Restart the SSHD Services

# systemctl restart sshd.service

Restart the Centrifydc services


# /usr/share/centrifydc/bin/centrifydc restart

Active Directory Flush

# adflush -f

Centrify Access Manager

At Centrify Access Manager, do add the MFA Users to require MFS for Login and UNIX Login in the required Computer. See Pix

Further notes:

Automating the Linux Client Server for Centrify and 2FA on Rocky Linux 8

April 27, 2022 by kittycool only

Delinea announces support for AlmaLinux and Rocky Linux

Finally, Delinea (Centrify) has added support for RHCOS, AlmaLinux x86_64, Rocky Linux. Good news indeed

As we continue to bolster our PAM solutions for Linux, the latest release of Server Suite adds support for RHCOS, AlmaLinux x86_64, and Rocky Linux.

Red Hat Enterprise Linux CoreOS (RHCOS) is a container-optimized operating system for running containers at scale. Both Rocky Linux and AlmaLinux are binary-compatible with Red Hat Enterprise Linux (RHEL) and have emerged as a viable alternative to CentOS.

………
Delinea announces support for AlmaLinux and Rocky Linux

December 22, 2021 by kittycool only

Starting and Stopping CentrifyDA Agent

If the agent is not running, run the following command to start it:

/usr/share/centrifydc/bin/centrifyda start

To stop the agent,

/usr/share/centrifydc/bin/centrifyda stop

References:

Starting and stopping the UNIX agent

December 22, 2021 by kittycool only

How to uninstall Centrify agent on Unix/Linux platforms?

As root or sudo, open a terminal and navigate to the folder where Centrify was first installed (typically /usr/share/centrifydc/bin) . On most Centrify DirectControl-managed systems, you can remove the Centrify DirectControl Agent and related files by running the uninstall.sh script.
as follows:

/bin/sh /usr/share/centrifydc/bin/uninstall.sh

For example:

Do you want to uninstall the CentrifyDC-5.8.1 package from this computer? (Q|Y|N) [N]:N

References

KB-1780: How to uninstall Centrify agent on Unix/Linux platforms?

October 10, 2021 by kittycool only

Using Centrify to get the username from uid

Getting the information from CentirfyDC-5.5.2 if we were given just the user id alone can be very easy. Just do a

% adquery user |grep 1111111

adquery user will list out all the users in the Centrify Console. You just need to parse the information you need with grep

May 18, 2021 by kittycool only

Centrify Client goes into disconnect mode

The article is taken from Centrify Knowledge Base (KB-1425): adclient goes into “disconnected mode”

Causes

There are several reasons why adclient can goes into disconnect mode. According to the article, it could be due to

Replication Delays
Expired Computer Password or not renewed or out of sync

Solution:

In Linux, you can restart the Centrify DirectControl Service

# /etc/init.d/centrifydc restart
Stopping Centrify DirectControl:                           [  OK  ]
Starting Centrify DirectControl:                           [  OK  ]
adclient state is: connected

OR you can reset computer object on UNIX/LINUX client:

# adkeytab -r -u administrator@yourdomain.com

Notes:

Machine password renewal can be turned off (for testing purposes only) in /etc/centrifydc/centrifydc.conf by making the following change and running adreload. (Default is 28 days)

adclient.krb5.password.change.interval: 0

August 14, 2019 by kittycool only

Useful Commands for Centrify Suite

Taken from [TIPS] A Centrify Server Suite Cheat Sheet

BASIC Troubleshooting

Pt 1. To check the general status of the client

$ adinfo

Local host name: xxx
Joined to domain: xxx.com
Joined as: xxx
Pre-win2K name: xxx
Current DC: xxx
Preferred site: NTU-Site
Zone: xxx
Last password set: 2019-07-24 06:29:08 +08
CentrifyDC mode: connected
Licensed Features: Enabled

Pt 2. To see the corresponding Centrify Suite Version

$ adinfo --suite-version

adinfo (CentrifyDC 5.5.0-200)
Centrify Server Suite 2018

Pt 3. To view Active Directory connectivity to the current domain

$ adinfo --test

Domain Diagnostics:
Domain:
DNS query for:
DNS query for:
Testing Active Directory connectivity:
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good

Pt 4: To see the current joined Centrify zone

$ adinfo --zone

xxx.com/MyOU/Centrify/Zones/Global

ADVANCED / TROUBLESHOOTING Information

Pt 5: To check the status of the DNS cache and stats

$ adinfo --diag dns
adinfo (CentrifyDC 5.5.0-200)

Host Diagnostics
uname: Linux hpc-gekko1 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64
OS: CentOS
Version: 7.0
Number of CPUs: 32
…..
…..

Pt 6: To check network connectivity statistics

$ adinfo --sysinfo netstate

System Diagnostic
===============Network State===================
Site Map
com.sg=>PreferredSite:XXX.com, SubnetSite:XXX-Site
Domain Map
…
…
state: alive
swept: 21 mins ago
...

Pt 7: To see the status of the AD computer trust relationship

$ adinfo --sysinfo adagent

System Diagnostic
===================adagent internals===================
Binding Table
$=>main11.main.ntu.edu.sg(MAIN.NTU.EDU.SG) connected
xxx.com=>xxx.com disconnected
xxx1=>xxx1.com disconnected
xxx2=>xxx2.com connected
xxx3=>xxx3.com connected

TESTING Credentials Information

$ adinfo -A --user myuserid

Active Directory password:
...

April 30, 2015 by kittycool only

Restricting SSH Access when using Centrify-Free

To restrict users from accessing the system using Centrify free can be easily managed by using the following files

/etc/centrifydc/users.allow
/etc/centrifydc/groups.allow
/etc/centrifydc/users.deny
/etc/centrifydc/groups.deny

1. You have to manually create the the files accordingly and place it at /etc/centifydc. Next you have to line 273 and uncomment the line

.....
pam.allow.users: file:/etc/centrifydc/users.allow
.....

If you are blocking by groups, you can likewise uncomment the

.....
pam.allow.groups: file:/etc/centrifydc/groups.allow
.....

2. Flush and Reload Centrify-Free

# adflush
# adreload

3. Add users you wish to have access into the system into /etc/centrifydc/users.allow

The Linux Cluster

Linux Cluster Blog is a collection of how-to and tutorials for Linux Cluster and Enterprise Linux

Centrify