Authenticate Linux To Active Directory On Windows – Centrify Express

I was working with a coworker today to setup a new Redmine server running on top of Ubunut 12.04 and one of the steps we completed in the process was setting up LDAP authentication in Redmine. Setting up LDAP authentication in Redmine requires the server running Redmine to be joined to the Windows Active Directory domain so I needed a quick way to auth Linux on Active Directory. I have used Centrify in the past and remember it being really easy to setup authentication from any form of Linux to a Windows domain and again it did not disappoint. Follow the directions below to join a Linux server to Active Directory using Centrify.

Authenticate Linux To Active Directory On Windows Using Centrify Express:

1. Download Centrify Express: First click here to select the proper Centrify download for your Linux version. The current Ubuntu 12.04 Centrify filename is centrify-suite-2013-deb5-x86_64.tgz. You will need to manually download the file and then SCP it over to the server where Centrify needs to be installed. 
2. SCP To Server & Unpack Centrify: Now as noted above SCP the Centrify agent package to the server that needs to authenticate to Active Directory. I suggest copying the package to /usr/local/src which is a great directory to work from. After getting the package to the server create a centrify directory such as /usr/local/src/centrify and copy the package into this new directory as it unpacks flat. Now use tar to decompress and unpack the Centrify agent package. The files that will be unpacked in the current Centrify agent package are listed below.
   bash

   
   

   1. root@redmine:/usr/local/src# tar -zxvf centrify-suite-2013-deb5-x86_64.tgz
   2. ./adcheck-deb5-x86_64
   3. ./centrify-suite.cfg
   4. ./centrifyda-3.0.0-deb5-x86_64.deb
   5. ./centrifydc-5.1.0-deb5-x86_64.deb
   6. ./centrifydc-install.cfg
   7. ./centrifydc-ldapproxy-5.1.0-deb5-x86_64.deb
   8. ./centrifydc-nis-5.1.0-deb5-x86_64.deb
   9. ./centrifydc-openssh-6.0p1-5.1.0-deb5-x86_64.deb
   10. ./install-express.sh
   11. ./install.sh
   12. ./release-notes-agent-deb5-x86_64.txt
   13. ./release-notes-da-deb5-x86_64.txt
   14. ./release-notes-nis-deb5-x86_64.txt
   15. ./release-notes-openssh-deb5-x86_64.txt
   16. root@redmine:/usr/local/src#
3. Run Centrify Installer: One of the files you unpacked above was named installer.sh and another named installer-express.sh. In my first pass with the installer I ran “./installer.sh” as seen below however I should have run “./installer-express” though you can still install Centrify Express from the installer.sh file its preferred to use installer-express.sh.So from the /usr/local/src/centrify directory issue the below command and follow through the prompts answering yes to all questions.
   bash

   
   

   1. root@redmine:/usr/local/src# ./install.sh
   2.  
   3. *****                                                                 *****
   4. *****             WELCOME to the Centrify Suite installer!            *****
   5. *****                                                                 *****
   6.  
   7. Detecting local platform ...
   8.  
   9. Running ./adcheck-deb5-x86_64 ...
   10. OSCHK    : Verify that this is a supported OS                          : Pass
   11. PATCH    : Linux patch check                                           : Pass
   12. PORTMAP  : Verify that portmap or rpcbind is installed                 : Warning
   13.          : Could not install CentrifyDC-nis package.
   14.          : PORTMAP not installed. Please install required
   15.          : portmap or rpcbind package, which CentrifyDC-nis
   16.          : depends on
   17.  
   18. PERL     : Verify perl is present and is a good version                : Pass
   19. SAMBA    : Inspecting Samba installation                               : Pass
   20. SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass
   21. HOSTNAME : Verify hostname setting                                     : Pass
   22. NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
   23. DNSPROBE : Probe DNS server 192.168.100.100                              : Pass
   24. DNSCHECK : Analyze basic health of DNS servers                         : Warning
   25.          : Only one DNS server was found in /etc/resolv.conf.
   26.          : At least one backup DNS server is recommended for
   27.          : enterprise installations.
   28.          : Only one good DNS server was found
   29.          : You might be able to continue but it is likely that you
   30.          : will have problems.
   31.          : Add more good DNS servers into /etc/resolv.conf.
   32.  
   33. WHATSSH  : Is this an SSH that DirectControl works well with           : Pass
   34. SSH      : SSHD version and configuration                              : Warning
   35.          : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
   36.          :
   37.          : This version of OpenSSH does not seem to be configured for PAM,
   38.          : ChallengeResponse and Kerberos/GSSAPI support.
   39.          : To get Active Directory users to successfully login,
   40.          : you need to configure your OpenSSH with the following options:
   41.          : (display the ones we identified were not set)
   42.          : ChallengeResponseAuthentication yes
   43.          : UsePAM Yes
   44.          :
   45.          : Centrify provides a version of OpenSSH that's configured properly
   46.         : to allow AD users to login and provides Kerberos GSSAPI support.
   47.         :
   48.         : If you install Centrify Express or Centrify Suite
   49.         : Standard or Enterprise Edition, the Centrify build of
   50.         : OpenSSH will be installed automatically. Alternatively
   51.         : you may choose individual Suite packages to install
   52.         : with the Custom install option.
   53.  
   54. 3 warnings were encountered during check. We recommend checking these before proceeding
   55.  
   56. WARNING: adcheck exited with warning(s).
   57.  
   58. With this script, you can perform the following tasks:
   59.    - Install (update) Centrify Suite Enterprise Edition (License required) [E]
   60.    - Install (update) Centrify Suite Standard Edition (License required) [S]
   61.    - Install (update) Centrify Suite Express Edition [X]
   62.    - Custom install (update) of individual packages [C]
   63.  
   64. You can type Q at any prompt to quit the installation and exit
   65. the script without making any changes to your environment.
   66.  
   67. How do you want to proceed? (E|S|X|C|Q) [E]:Q
   68. root@redmine:/usr/local/src/centrify#

   Notice that there were 3 warnings so I quit the installer by typing Q followed by enter at the first prompt. You should always allow the check to run with Centrify and then attempt to resolve any errors or warning generated. Two of the warnings I am able to resolve so the next two steps may or may not be part of your installation process depending on what warnings you received during the check. In my case I needed to install portmap and modify the sshd_config file.

4. Install portmap On Ubuntu 12.04: One of the warnings from the Centrify check script was related to portmap or rpcbind not being installed. Use the command below to install portmap on Ubuntu 12.04 Precise Pangolin.
   bash

   
   

   1. root@redmine:/usr/local/src# apt-get install portmap
   2. Reading package lists... Done
   3. Building dependency tree
   4. Reading state information... Done
   5. Note, selecting 'rpcbind' instead of 'portmap'
   6. The following extra packages will be installed:
   7. libgssglue1 libtirpc1
   8. The following NEW packages will be installed:
   9. libgssglue1 libtirpc1 rpcbind
   10. 0 upgraded, 3 newly installed, 0 to remove and 72 not upgraded.
   11. Need to get 150 kB of archives.
   12. After this operation, 519 kB of additional disk space will be used.
   13. Do you want to continue [Y/n]? Y
   14. Get:1 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libgssglue1 amd64 0.3-4ubuntu0.1 [22.5 kB]
   15. Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/main libtirpc1 amd64 0.2.2-5 [84.2 kB]
   16. Get:3 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main rpcbind amd64 0.2.0-7ubuntu1.2 [42.9 kB]
   17. Fetched 150 kB in 0s (357 kB/s)
   18. Selecting previously unselected package libgssglue1.
   19. (Reading database ... 60692 files and directories currently installed.)
   20. Unpacking libgssglue1 (from .../libgssglue1_0.3-4ubuntu0.1_amd64.deb) ...
   21. Selecting previously unselected package libtirpc1.
   22. Unpacking libtirpc1 (from .../libtirpc1_0.2.2-5_amd64.deb) ...
   23. Selecting previously unselected package rpcbind.
   24. Unpacking rpcbind (from .../rpcbind_0.2.0-7ubuntu1.2_amd64.deb) ...
   25. Processing triggers for man-db ...
   26. Processing triggers for ureadahead ...
   27. ureadahead will be reprofiled on next reboot
   28. Setting up libgssglue1 (0.3-4ubuntu0.1) ...
   29. Setting up libtirpc1 (0.2.2-5) ...
   30. Setting up rpcbind (0.2.0-7ubuntu1.2) ...
   31. Removing any system startup links for /etc/init.d/rpcbind ...
   32. portmap start/running, process 9396
   33. Processing triggers for libc-bin ...
   34. ldconfig deferred processing now taking place
   35. root@redmine:/usr/local/src/centrify#
5. Modify sshd_config On Ubuntu: Next I needed to modify the sshd_config file to allow challenge/response authentication. So PAM was already set to yes in my sshd_config. Search the /etc/ssh/sshd_config file for ChallengeResponseAuthentication and verify it is not commented out and also make sure it is set to Yes and not No. In my case I modified the old line below to become the new line output below it.
   bash

   
   

   1. old: ChallengeResponseAuthentication no
   2.     new: ChallengeResponseAuthentication yes

   Once you have modified the sshd_config you will need to restart SSH using “/etc/init.d/ssh restart” or “service ssh restart” for the changes to become

6. Run Centrify Express Installer Again: It is not time to run the Centrify Express installer again once you have resolved all warnings and/or errors noted in the first check. This time the only warnings were regarding the fact that this setup only had a single Windows Domain Controller.
   bash

   
   

   1. root@redmine:/usr/local/src# ./install-express.sh
   2. *****                                                                   *****
   3. *****             WELCOME to the Centrify Express installer!            *****
   4. *****                                                                   *****
   5. Detecting local platform ...
   6.  
   7. Running ./adcheck-deb5-x86_64 ...
   8. OSCHK    : Verify that this is a supported OS                          : Pass
   9. PATCH    : Linux patch check                                           : Pass
   10. PORTMAP  : Verify that portmap or rpcbind is installed                 : Pass
   11. PERL     : Verify perl is present and is a good version                : Pass
   12. SAMBA    : Inspecting Samba installation                               : Pass
   13. SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass
   14. HOSTNAME : Verify hostname setting                                     : Pass
   15. NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
   16. DNSPROBE : Probe DNS server 192.168.100.100                            : Pass
   17. DNSPROBE : Probe DNS server 4.2.2.2                                    : Warning
   18. : This DNS server does not respond to requests. This is a serious problem
   19.  
   20. DNSCHECK : Analyze basic health of DNS servers                         : Warning
   21. : One or more DNS servers are dead or marginal.
   22. : Check the following IP addresses in /etc/resolv.conf.
   23. :
   24. : The following table lists the state of all configured
   25. : DNS servers.
   26. :  38.97.236.148 (vmscan8.accuvant.com): OK
   27. :  4.2.2.2 (b.resolvers.Level3.net): dead
   28. : Only one good DNS server was found
   29. : You might be able to continue but it is likely that you
   30. : will have problems.
   31. : Add more good DNS servers into /etc/resolv.conf.
   32.  
   33. WHATSSH  : Is this an SSH that DirectControl works well with           : Pass
   34. SSH      : SSHD version and configuration                              : Note
   35. : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
   36. :
   37. : If you install Centrify Express or Centrify Suite
   38. : Standard or Enterprise Edition, the Centrify build of
   39. : OpenSSH will be installed automatically. Alternatively
   40. : you may choose individual Suite packages to install
   41. : with the Custom install option.
   42.  
   43. 2 warnings were encountered during check. We recommend checking these before proceeding
   44.  
   45. WARNING: adcheck exited with warning(s).
   46.  
   47. With this script, you can perform the following tasks:
   48. - Install (update) Centrify Suite Enterprise Edition (License required) [E]
   49. - Install (update) Centrify Suite Standard Edition (License required) [S]
   50. - Install (update) Centrify Suite Express Edition [X]
   51. - Custom install (update) of individual packages [C]
   52.  
   53. You can type Q at any prompt to quit the installation and exit
   54. the script without making any changes to your environment.
   55.  
   56. How do you want to proceed? (E|S|X|C|Q) [X]:
   57. Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:
   58.  
   59. Please enter the Active Directory domain to check [company.com]: example.com
   60. Join an Active Directory domain? (Q|Y|N) [Y]:
   61. Enter the Active Directory domain to join [example.com]:
   62. Enter the Active Directory authorized user [administrator]: redmine
   63. Enter the password for the Active Directory user:
   64. Enter the computer name [redmine]:
   65. Enter the container DN [Computers]:
   66. Enter the name of the domain controller [auto detect]: dc.example.com
   67. Reboot the computer after installation? (Q|Y|N) [Y]:
   68.  
   69. You chose Centrify Suite Express Edition and entered the following:
   70. Install CentrifyDC 5.1.0 package: Y
   71. Install CentrifyDC-nis 5.1.0 package: N
   72. Install CentrifyDC-openssh 5.1.0 package: Y
   73. Install CentrifyDC-ldapproxy 5.1.0 package: N
   74. Install CentrifyDA 3.0.0 package: N
   75. Run adcheck                      : Y
   76. Join an Active Directory domain  : Y
   77. Active Directory domain to join  : example.com
   78. Active Directory authorized user : redmine
   79. computer name                    : redmine
   80. container DN                     : Computers
   81. domain controller name           : dc.example.com
   82. Reboot computer                  : Y
   83.  
   84. If this information is correct and you want to proceed, type "Y".
   85. To change any information, type "N" and enter new information.
   86. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:
   87.  
   88. Running ./adcheck-deb5-x86_64 ...
   89. NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
   90. DNSPROBE : Probe DNS server 192.168.100.100                            : Pass
   91. DNSPROBE : Probe DNS server 4.2.2.2                                    : Warning
   92. : This DNS server does not respond to requests. This is a serious problem
   93.  
   94. DNSCHECK : Analyze basic health of DNS servers                         : Warning
   95. : One or more DNS servers are dead or marginal.
   96. : Check the following IP addresses in /etc/resolv.conf.
   97. :
   98. : The following table lists the state of all configured
   99. : DNS servers.
   100. :  192.168.100.100 (dc.example.com): OK
   101. :  4.2.2.2 (unknown): dead
   102. : Only one good DNS server was found
   103. : You might be able to continue but it is likely that you
   104. : will have problems.
   105. : Add more good DNS servers into /etc/resolv.conf.
   106.  
   107. WHATSSH  : Is this an SSH that DirectControl works well with           : Pass
   108. SSH      : SSHD version and configuration                              : Note
   109. : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
   110. :
   111. : If you install Centrify Express or Centrify Suite
   112. : Standard or Enterprise Edition, the Centrify build of
   113. : OpenSSH will be installed automatically. Alternatively
   114. : you may choose individual Suite packages to install
   115. : with the Custom install option.
   116.  
   117. DOMNAME  : Check that the domain name is reasonable                    : Pass
   118. ADDC     : Find domain controllers in DNS                              : Pass
   119. ADDNS    : DNS lookup of DC dc.example.com                      : Pass
   120. ADPORT   : Port scan of DC dc.example.com                       : Pass
   121. ADDC     : Check Domain Controllers                                    : Pass
   122. ADDNS    : DNS lookup of DC dc.example.com                      : Pass
   123. GCPORT   : Port scan of GC dc.example.com                       : Pass
   124. ADGC     : Check Global Catalog servers                                : Pass
   125. DCUP     : Check for operational DCs in example.com               : Pass
   126. SITEUP   : Check DCs for example.com in our site                  : Pass
   127. DNSSYM   : Check DNS server symmetry                                   : Pass
   128. ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass
   129. GSITE    : See if we think this is the correct site                    : Pass
   130. TIME     : Check clock synchronization                                 : Pass
   131. ADSYNC   : Check domains all synchronized                              : Pass
   132. 2 warnings were encountered during check. We recommend checking these before proceeding
   133.  
   134. WARNING: adcheck exited with warning(s).
   135. Selecting previously unselected package centrifydc.
   136. (Reading database ... 60764 files and directories currently installed.)
   137. Unpacking centrifydc (from .../centrifydc-5.1.0-deb5-x86_64.deb) ...
   138. Selecting previously unselected package centrifydc-openssh.
   139. Unpacking centrifydc-openssh (from .../centrifydc-openssh-6.0p1-5.1.0-deb5-x86_64.deb) ...
   140. Setting up centrifydc (5.1.0-497) ...
   141. Restoring group.ignore from /etc/centrifydc/custom/ ...
   142. Restoring user.ignore from /etc/centrifydc/custom/ ...
   143. Processing triggers for man-db ...
   144. Processing triggers for ureadahead ...
   145. Setting up centrifydc-openssh (6.0p1-5.1.0.472) ...
   146. Joining the Active Directory domain example.com ...
   147. Using domain controller: dc.example.com writable=true
   148. Join to domain:example.com, zone:Auto Zone successful
   149.  
   150. Centrify DirectControl started.
   151. Loading domains and trusts information
   152.  
   153. Initializing cache
   154. .
   155. You have successfully joined the Active Directory domain: example.com
   156. in the Centrify DirectControl zone: Auto Zone
   157.  
   158. You may need to restart other services that rely upon PAM and NSS or simply
   159. reboot the computer for proper operation.  Failure to do so may result in
   160. login problems for AD users.
   161.  
   162. Rebooting the computer ...
   163. Rebooting now ...
   164. Install.sh completed successfully.
   165. root@redmine:/usr/local/src#

   This time the Centrify Express installer completed without issue. Once you go through the installer completely your server will reboot to lockin the changes and join the domain on boot. Even though rebooting Linux seems fairly silly it is also a great test to make sure your server will join the Windows Domain if it is ever power cycled.

7. Verify Linux Server Joined Windows Domain: Now on the Domain Controller itself you should look underneath the Computers tree to see if the Linux server displays there as shown in the below example. In the above example the Linux server is named redmine and now displays in the authenticated servers on the Windows Domain Controller.
   You should also double check that the centrifydc service is set to start at boot each time. You can do this by installing chkconfig (apt-get install chkconfig) and then running “chkconfig –list | grep centrify” from a shell on the Ubuntu Linux server.

So in my case the next steps involved configuring Redmine for LDAP and testing Redmine user logins using Windows credentials. All worked without issue and that is why Centrify blows software like likewise-open out of the water for a simple join of a Linux box to a Windows comain.