Testing the AD User Authentication with Centrify

Test 1: Test with SSH
The simplest way is to enable SSH and connect to it.

Test 2: Test with adinfo

# adinfo -A --user user1
Active Directory password:
Password for user "user1" is correct

Test 3: Test using kinit

# /usr/share/centrifydc/kerberos/bin/kinit user1

# /usr/share/centrifydc/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user2@test.com
.....
.....
Valid starting       Expires           Service principal
.....
.....

References:

1. Centrify is in connected mode but users are unable to login.

Testing the AD User Authentication with Centrify

Test 1: Test with SSH
The simplest way is to enable SSH and connect to it.

Test 2: Test with adinfo

# adinfo -A --user user1
Active Directory password:
Password for user "user1" is correct

Test 3: Test using kinit

# /usr/share/centrifydc/kerberos/bin/kinit user1

# /usr/share/centrifydc/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user2@test.com
.....
.....
Valid starting       Expires           Service principal
.....
.....

References:

1. Centrify is in connected mode but users are unable to login.

Enable Centrify Agent to read UID and GID from Centrify DirectManage Access Manager

We purchased Centrify Standard and setup the DirectManage Access Manager. Next we proceed to install the client agent on the compute node.

After unpacking and installing the agent, when we do a

# getent passwd  |grep kittycool
kittycool:x:1304567321211:1304567321211:kittycool:/home/kittycool:/bin/bash
kittycool:x:10001:10001:kittycool:/home/kittycool:/bin/bash

Apparently, the getent passwd |grep kittycool is pulling both the Active Directory UID and the DirectManage Access and the user UID differs

To resolve this issue, you need to specify the zone which is used by DirectManage Access Manager, so your UID of the user will pick from the DirectManage Access Manager.

# adjoin -z cluster -u OU_Administrator  staff.mycompany.com.sg -c "staff.mycompany.com.sg/HPC/Computers"

To check it is displaying the correct UID and GID,

# getent passwd  |grep kittycool
kittycool:x:10001:10001:kittycool:/home/kittycool:/bin/bash

Centrify Error - Not authenticated: while getting service credentials: No credentials found with supported encryption

I was not able to use authenticate with my password when I tried to logon with Putty. A closer look at the log file shows. Only the local account root was able to logon

Sep 17 12:00:00 node1 sshd[4725]: error: PAM: 
Authentication failure for user2 from 192.168.1.5
Sep 17 12:00:01 node1 adclient[7052]: WARN  audit User 'user2' not authenticated: 
while getting service credentials: 
No credentials found with supported encryption

The solution was very simple. Just restart the /etc/init.d/centrifydc and /etc/init.d/centrify-sshd

# service /etc/init.d/centrifydc restart
# service /etc/init.d/centrify-sshd restart

Mapping Ad account to Local Linux Group with Centrify Express on CentOS 6

Step 1. In order to add the AD User to the local User Group adduser command is not nsswitch aware and do not recognize a user not locally defined when adding someone to a group.

# vim /etc/group

.....
.....
users:x:100:user1,user2

Step 2: Edit /etc/centrifydc/centrifydc.conf Edit /etc/centrifydc/centrifydc.conf, uncomment and change the following parameter to true

# Merge local group membership from /etc/group into the Centrify group
# response for groups with the same name and gid.  This violates the NSS
# interface behavior and may have unexpected side effects, so it is
# disabled by default. You must run adreload to detect changes
# in the local group file.
#
adclient.local.group.merge:true

Step 3: Centrify Load and Flush

# adreload && adflush

Step 4: Check and verify. Logon as user1

$ id -a
uid=.........gid=.......... 100(users) .....................

References:

1. How to Add AD user local group

Add an Active Directory (AD) Domain Account to sudo on Centrify Express for CentOS 6

Adding a Active Directory (AD) Domain Account to /etc/sudo is fairly easy on Centrify Express for CentOS 6. Suppose you have an AD Group called "Sys_Admin", just add it to the

.....
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%System_Admin ALL=(ALL)       ALL
.....

If it is an individual user, just get the userid from Active Directory

# getent passwd myuserid
user1:x:122:122:User1 Name:/home/user1:/bin/centrifyda

Update /etc/sudoers

.....
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%user1 ALL=(ALL)       ALL
.....

Do a final check on whether the sudo is working fine by doing

# sudo -l

Matching Defaults entries for user1 on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User user1 may run the following commands on this host:
(ALL) ALL

Enabling Debugging for Linux Systems for Centrify Express on CentOS 6

If you are using centrify-free,  here are some tips to enable debugging. You can also watch the Youtube version from Centrify. See under the reference session

 Step 1: Enable Debugging for Centrify

# /usr/share/centrifydc/bin/addebug on
/var/log/centrify_client.log does not exist. Creating now.
Configure /etc/rsyslog.conf
Send HUP signal to rsyslogd
Configure log level in /etc/centrifydc/centrifydc.conf
Reload /etc/centrifydc/centrifydc.conf
Centrify DirectControl debug logging is on

Step 2: Collect support information via adinfo_extra.sh

# adinfo --support

Collecting stack trace information via stacktrace.pl:

Collecting support information via adinfo_extra.sh:
Collecting information for adinfo --support now...
Collection finished. Compress now.
Successfully gzip /var/centrify/tmp/adinfo_support.tar

Step 3: Disable Debugging for Centrify

# /usr/share/centrifydc/bin/addebug off
Configure /etc/rsyslog.conf
Send HUP signal to rsyslogd
Configure log level in /etc/centrifydc/centrifydc.conf
Reload /etc/centrifydc/centrifydc.conf
Centrify DirectControl debug logging is off

Step 4: Check the file

# ls  -al /var/centrify/tmp/adin_support.tar.gz

References:

1. Centrify Express: Enabling Debugging for Linux Systems

Basic Active Directory Authentication with Centrify Express for CentOS 6

Centrify Express is a comprehensive suite of free Active Directory-based integration solutions for authentication, single sign-on, remote access, file-sharing, monitoring. In this tutorial, you will learn how to install Centrify Express  on CentOS

Do read on Basic Active Directory Authentication with Centrify Express for CentOS 6

Installing Centrify Express on CentOS 5

I tried installing Centrify Express 64-bits on CentOS 5.4 x86_64 and it was quite smooth  

Prerequisites:
1. You have root account and password
2. In order for you to join the domain, you need an Active Directory account with permission to add computers to the domain

Download Centrify Express, go to:
1. Go to Download Centrify Express
2. You may also wish to look at the Centrify Express Linux Quick Start Guide (pdf) and Centrify Express Admin Guide

Preparation for the Linux Box to join Centrify
1. Change of Hostname for the Linux Computer. See blog entry Changing the hostname on CentOS

2. Ensure your /etc/nsswitch.conf contains the following lines

hosts: files dns 

See man page for nsswitch.conf for more information on configuring for nsswitch

3. Ensure your resolv.conf includes a DNS Server than resolve SRV records for your domain

# less /etc/resolv.conf

You should get something like

search example.com
nameserver 192.168.1.5

4. Now you are ready to install

# mkdir centrify-suite

# mv centrify-suite-2011-rhel3-x86_64.tgz

# tar -zxvf centrify-suite-2011-rhel3-x86_64.tgz

# ./install-express.sh

Respond to the installation prompt (Taken from Centrify Admin)

How do you want to proceed? (E|S|X|C|Q) [X]:
Accept the default, X (for Express Edition), by clicking Enter.

Do you want to run adcheck to verify your AD
environment? (Q|Y|N) [Y]:
Accept the default answer, Y (to run adcheck) by clicking
Enter.

Please enter the Active Directory domain to check:
Enter the fully qualified name of your AD domain; for example,
ad.example.com

Join an Active Directory domain? (Q|Y|N) [Y]
Accept the default answer, Y to join a domain.

Enter the Active Directory authorized user
[administrator]:
Enter the password for the Active Directory user:

Click Enter to select the defaults for the following prompts:
Enter the computer name: [QA1.sales.acme.com]
Enter the container DN [Computers]:
Enter the name of the domain controller [auto detect]:
Reboot the computer after the installation (Q|Y|N) [Y}:

You will see summation text similar to the following:

You chose Centrify Suite Express Edition and entered the following:

Install CentrifyDC 4.4.0 package: Y
Install CentrifyDC-nis 4.4.0 package: N
Install CentrifyDC-openssh 4.3.1 package: Y
Install CentrifyDA 1.1.2 package: N
Run adcheck : Y
Join an Active Directory domain : Y
Active Directory domain to join : ad.example.com
Active Directory authorized user : administrator
computer name : computername.ad.example.com
container DN : Computers
domain controller name : auto detect
Reboot computer : Y

You can still try to do a direct Active Directory domain join.

# adjoin ad.example.com -u admin_user --force

Centrify Express Express Tips and Tricks

Centrify Express provides a couple of good links to provide some quick-start to configure Linux Box to talk to the MS AD

1. For Best Practise Video, see Centrify Express Tips and Tricks
2. For the  community site including forum see Centrify Express Community Site