Authenticate Linux To Active Directory On Windows - Centrify Express

I was working with a coworker today to setup a new Redmine server running on top of Ubunut 12.04 and one of the steps we completed in the process was setting up LDAP authentication in Redmine. Setting up LDAP authentication in Redmine requires the server running Redmine to be joined to the Windows Active Directory domain so I needed a quick way to auth Linux on Active Directory. I have used Centrify in the past and remember it being really easy to setup authentication from any form of Linux to a Windows domain and again it did not disappoint. Follow the directions below to join a Linux server to Active Directory using Centrify.

Authenticate Linux To Active Directory On Windows Using Centrify Express:

Download Centrify Express: First click here to select the proper Centrify download for your Linux version. The current Ubuntu 12.04 Centrify filename is centrify-suite-2013-deb5-x86_64.tgz. You will need to manually download the file and then SCP it over to the server where Centrify needs to be installed.
SCP To Server & Unpack Centrify: Now as noted above SCP the Centrify agent package to the server that needs to authenticate to Active Directory. I suggest copying the package to /usr/local/src which is a great directory to work from. After getting the package to the server create a centrify directory such as /usr/local/src/centrify and copy the package into this new directory as it unpacks flat. Now use tar to decompress and unpack the Centrify agent package. The files that will be unpacked in the current Centrify agent package are listed below.
bash
1. root@redmine:/usr/local/src# tar -zxvf centrify-suite-2013-deb5-x86_64.tgz
2. ./adcheck-deb5-x86_64
3. ./centrify-suite.cfg
4. ./centrifyda-3.0.0-deb5-x86_64.deb
5. ./centrifydc-5.1.0-deb5-x86_64.deb
6. ./centrifydc-install.cfg
7. ./centrifydc-ldapproxy-5.1.0-deb5-x86_64.deb
8. ./centrifydc-nis-5.1.0-deb5-x86_64.deb
9. ./centrifydc-openssh-6.0p1-5.1.0-deb5-x86_64.deb
10. ./install-express.sh
11. ./install.sh
12. ./release-notes-agent-deb5-x86_64.txt
13. ./release-notes-da-deb5-x86_64.txt
14. ./release-notes-nis-deb5-x86_64.txt
15. ./release-notes-openssh-deb5-x86_64.txt
16. root@redmine:/usr/local/src#
Run Centrify Installer: One of the files you unpacked above was named installer.sh and another named installer-express.sh. In my first pass with the installer I ran “./installer.sh” as seen below however I should have run “./installer-express” though you can still install Centrify Express from the installer.sh file its preferred to use installer-express.sh.So from the /usr/local/src/centrify directory issue the below command and follow through the prompts answering yes to all questions.
bash
1. root@redmine:/usr/local/src# ./install.sh
3. ***** *****
4. ***** WELCOME to the Centrify Suite installer! *****
5. ***** *****
7. Detecting local platform ...
9. Running ./adcheck-deb5-x86_64 ...
10. OSCHK : Verify that this is a supported OS : Pass
11. PATCH : Linux patch check : Pass
12. PORTMAP : Verify that portmap or rpcbind is installed : Warning
13. : Could not install CentrifyDC-nis package.
14. : PORTMAP not installed. Please install required
15. : portmap or rpcbind package, which CentrifyDC-nis
16. : depends on
18. PERL : Verify perl is present and is a good version : Pass
19. SAMBA : Inspecting Samba installation : Pass
20. SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
21. HOSTNAME : Verify hostname setting : Pass
22. NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
23. DNSPROBE : Probe DNS server 192.168.100.100 : Pass
24. DNSCHECK : Analyze basic health of DNS servers : Warning
25. : Only one DNS server was found in /etc/resolv.conf.
26. : At least one backup DNS server is recommended for
27. : enterprise installations.
28. : Only one good DNS server was found
29. : You might be able to continue but it is likely that you
30. : will have problems.
31. : Add more good DNS servers into /etc/resolv.conf.
33. WHATSSH : Is this an SSH that DirectControl works well with : Pass
34. SSH : SSHD version and configuration : Warning
35. : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
36. :
37. : This version of OpenSSH does not seem to be configured for PAM,
38. : ChallengeResponse and Kerberos/GSSAPI support.
39. : To get Active Directory users to successfully login,
40. : you need to configure your OpenSSH with the following options:
41. : (display the ones we identified were not set)
42. : ChallengeResponseAuthentication yes
43. : UsePAM Yes
44. :
45. : Centrify provides a version of OpenSSH that's configured properly
46. : to allow AD users to login and provides Kerberos GSSAPI support.
47. :
48. : If you install Centrify Express or Centrify Suite
49. : Standard or Enterprise Edition, the Centrify build of
50. : OpenSSH will be installed automatically. Alternatively
51. : you may choose individual Suite packages to install
52. : with the Custom install option.
54. 3 warnings were encountered during check. We recommend checking these before proceeding
56. WARNING: adcheck exited with warning(s).
58. With this script, you can perform the following tasks:
59. - Install (update) Centrify Suite Enterprise Edition (License required) [E]
60. - Install (update) Centrify Suite Standard Edition (License required) [S]
61. - Install (update) Centrify Suite Express Edition [X]
62. - Custom install (update) of individual packages [C]
64. You can type Q at any prompt to quit the installation and exit
65. the script without making any changes to your environment.
67. How do you want to proceed? (E|S|X|C|Q) [E]:Q
68. root@redmine:/usr/local/src/centrify#
Notice that there were 3 warnings so I quit the installer by typing Q followed by enter at the first prompt. You should always allow the check to run with Centrify and then attempt to resolve any errors or warning generated. Two of the warnings I am able to resolve so the next two steps may or may not be part of your installation process depending on what warnings you received during the check. In my case I needed to install portmap and modify the sshd_config file.
Install portmap On Ubuntu 12.04: One of the warnings from the Centrify check script was related to portmap or rpcbind not being installed. Use the command below to install portmap on Ubuntu 12.04 Precise Pangolin.
bash
1. root@redmine:/usr/local/src# apt-get install portmap
2. Reading package lists... Done
3. Building dependency tree
4. Reading state information... Done
5. Note, selecting 'rpcbind' instead of 'portmap'
6. The following extra packages will be installed:
7. libgssglue1 libtirpc1
8. The following NEW packages will be installed:
9. libgssglue1 libtirpc1 rpcbind
10. 0 upgraded, 3 newly installed, 0 to remove and 72 not upgraded.
11. Need to get 150 kB of archives.
12. After this operation, 519 kB of additional disk space will be used.
13. Do you want to continue [Y/n]? Y
14. Get:1 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libgssglue1 amd64 0.3-4ubuntu0.1 [22.5 kB]
15. Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/main libtirpc1 amd64 0.2.2-5 [84.2 kB]
16. Get:3 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main rpcbind amd64 0.2.0-7ubuntu1.2 [42.9 kB]
17. Fetched 150 kB in 0s (357 kB/s)
18. Selecting previously unselected package libgssglue1.
19. (Reading database ... 60692 files and directories currently installed.)
20. Unpacking libgssglue1 (from .../libgssglue1_0.3-4ubuntu0.1_amd64.deb) ...
21. Selecting previously unselected package libtirpc1.
22. Unpacking libtirpc1 (from .../libtirpc1_0.2.2-5_amd64.deb) ...
23. Selecting previously unselected package rpcbind.
24. Unpacking rpcbind (from .../rpcbind_0.2.0-7ubuntu1.2_amd64.deb) ...
25. Processing triggers for man-db ...
26. Processing triggers for ureadahead ...
27. ureadahead will be reprofiled on next reboot
28. Setting up libgssglue1 (0.3-4ubuntu0.1) ...
29. Setting up libtirpc1 (0.2.2-5) ...
30. Setting up rpcbind (0.2.0-7ubuntu1.2) ...
31. Removing any system startup links for /etc/init.d/rpcbind ...
32. portmap start/running, process 9396
33. Processing triggers for libc-bin ...
34. ldconfig deferred processing now taking place
35. root@redmine:/usr/local/src/centrify#
Modify sshd_config On Ubuntu: Next I needed to modify the sshd_config file to allow challenge/response authentication. So PAM was already set to yes in my sshd_config. Search the /etc/ssh/sshd_config file for ChallengeResponseAuthentication and verify it is not commented out and also make sure it is set to Yes and not No. In my case I modified the old line below to become the new line output below it.
bash
1. old: ChallengeResponseAuthentication no
2. new: ChallengeResponseAuthentication yes
Once you have modified the sshd_config you will need to restart SSH using “/etc/init.d/ssh restart” or “service ssh restart” for the changes to become
Run Centrify Express Installer Again: It is not time to run the Centrify Express installer again once you have resolved all warnings and/or errors noted in the first check. This time the only warnings were regarding the fact that this setup only had a single Windows Domain Controller.
bash
1. root@redmine:/usr/local/src# ./install-express.sh
2. ***** *****
3. ***** WELCOME to the Centrify Express installer! *****
4. ***** *****
5. Detecting local platform ...
7. Running ./adcheck-deb5-x86_64 ...
8. OSCHK : Verify that this is a supported OS : Pass
9. PATCH : Linux patch check : Pass
10. PORTMAP : Verify that portmap or rpcbind is installed : Pass
11. PERL : Verify perl is present and is a good version : Pass
12. SAMBA : Inspecting Samba installation : Pass
13. SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
14. HOSTNAME : Verify hostname setting : Pass
15. NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
16. DNSPROBE : Probe DNS server 192.168.100.100 : Pass
17. DNSPROBE : Probe DNS server 4.2.2.2 : Warning
18. : This DNS server does not respond to requests. This is a serious problem
20. DNSCHECK : Analyze basic health of DNS servers : Warning
21. : One or more DNS servers are dead or marginal.
22. : Check the following IP addresses in /etc/resolv.conf.
23. :
24. : The following table lists the state of all configured
25. : DNS servers.
26. : 38.97.236.148 (vmscan8.accuvant.com): OK
27. : 4.2.2.2 (b.resolvers.Level3.net): dead
28. : Only one good DNS server was found
29. : You might be able to continue but it is likely that you
30. : will have problems.
31. : Add more good DNS servers into /etc/resolv.conf.
33. WHATSSH : Is this an SSH that DirectControl works well with : Pass
34. SSH : SSHD version and configuration : Note
35. : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
36. :
37. : If you install Centrify Express or Centrify Suite
38. : Standard or Enterprise Edition, the Centrify build of
39. : OpenSSH will be installed automatically. Alternatively
40. : you may choose individual Suite packages to install
41. : with the Custom install option.
43. 2 warnings were encountered during check. We recommend checking these before proceeding
45. WARNING: adcheck exited with warning(s).
47. With this script, you can perform the following tasks:
48. - Install (update) Centrify Suite Enterprise Edition (License required) [E]
49. - Install (update) Centrify Suite Standard Edition (License required) [S]
50. - Install (update) Centrify Suite Express Edition [X]
51. - Custom install (update) of individual packages [C]
53. You can type Q at any prompt to quit the installation and exit
54. the script without making any changes to your environment.
56. How do you want to proceed? (E|S|X|C|Q) [X]:
57. Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:
59. Please enter the Active Directory domain to check [company.com]: example.com
60. Join an Active Directory domain? (Q|Y|N) [Y]:
61. Enter the Active Directory domain to join [example.com]:
62. Enter the Active Directory authorized user [administrator]: redmine
63. Enter the password for the Active Directory user:
64. Enter the computer name [redmine]:
65. Enter the container DN [Computers]:
66. Enter the name of the domain controller [auto detect]: dc.example.com
67. Reboot the computer after installation? (Q|Y|N) [Y]:
69. You chose Centrify Suite Express Edition and entered the following:
70. Install CentrifyDC 5.1.0 package: Y
71. Install CentrifyDC-nis 5.1.0 package: N
72. Install CentrifyDC-openssh 5.1.0 package: Y
73. Install CentrifyDC-ldapproxy 5.1.0 package: N
74. Install CentrifyDA 3.0.0 package: N
75. Run adcheck : Y
76. Join an Active Directory domain : Y
77. Active Directory domain to join : example.com
78. Active Directory authorized user : redmine
79. computer name : redmine
80. container DN : Computers
81. domain controller name : dc.example.com
82. Reboot computer : Y
84. If this information is correct and you want to proceed, type "Y".
85. To change any information, type "N" and enter new information.
86. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:
88. Running ./adcheck-deb5-x86_64 ...
89. NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
90. DNSPROBE : Probe DNS server 192.168.100.100 : Pass
91. DNSPROBE : Probe DNS server 4.2.2.2 : Warning
92. : This DNS server does not respond to requests. This is a serious problem
94. DNSCHECK : Analyze basic health of DNS servers : Warning
95. : One or more DNS servers are dead or marginal.
96. : Check the following IP addresses in /etc/resolv.conf.
97. :
98. : The following table lists the state of all configured
99. : DNS servers.
100. : 192.168.100.100 (dc.example.com): OK
101. : 4.2.2.2 (unknown): dead
102. : Only one good DNS server was found
103. : You might be able to continue but it is likely that you
104. : will have problems.
105. : Add more good DNS servers into /etc/resolv.conf.
107. WHATSSH : Is this an SSH that DirectControl works well with : Pass
108. SSH : SSHD version and configuration : Note
109. : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
110. :
111. : If you install Centrify Express or Centrify Suite
112. : Standard or Enterprise Edition, the Centrify build of
113. : OpenSSH will be installed automatically. Alternatively
114. : you may choose individual Suite packages to install
115. : with the Custom install option.
117. DOMNAME : Check that the domain name is reasonable : Pass
118. ADDC : Find domain controllers in DNS : Pass
119. ADDNS : DNS lookup of DC dc.example.com : Pass
120. ADPORT : Port scan of DC dc.example.com : Pass
121. ADDC : Check Domain Controllers : Pass
122. ADDNS : DNS lookup of DC dc.example.com : Pass
123. GCPORT : Port scan of GC dc.example.com : Pass
124. ADGC : Check Global Catalog servers : Pass
125. DCUP : Check for operational DCs in example.com : Pass
126. SITEUP : Check DCs for example.com in our site : Pass
127. DNSSYM : Check DNS server symmetry : Pass
128. ADSITE : Check that this machine's subnet is in a site known by AD : Pass
129. GSITE : See if we think this is the correct site : Pass
130. TIME : Check clock synchronization : Pass
131. ADSYNC : Check domains all synchronized : Pass
132. 2 warnings were encountered during check. We recommend checking these before proceeding
134. WARNING: adcheck exited with warning(s).
135. Selecting previously unselected package centrifydc.
136. (Reading database ... 60764 files and directories currently installed.)
137. Unpacking centrifydc (from .../centrifydc-5.1.0-deb5-x86_64.deb) ...
138. Selecting previously unselected package centrifydc-openssh.
139. Unpacking centrifydc-openssh (from .../centrifydc-openssh-6.0p1-5.1.0-deb5-x86_64.deb) ...
140. Setting up centrifydc (5.1.0-497) ...
141. Restoring group.ignore from /etc/centrifydc/custom/ ...
142. Restoring user.ignore from /etc/centrifydc/custom/ ...
143. Processing triggers for man-db ...
144. Processing triggers for ureadahead ...
145. Setting up centrifydc-openssh (6.0p1-5.1.0.472) ...
146. Joining the Active Directory domain example.com ...
147. Using domain controller: dc.example.com writable=true
148. Join to domain:example.com, zone:Auto Zone successful
150. Centrify DirectControl started.
151. Loading domains and trusts information
153. Initializing cache
154. .
155. You have successfully joined the Active Directory domain: example.com
156. in the Centrify DirectControl zone: Auto Zone
158. You may need to restart other services that rely upon PAM and NSS or simply
159. reboot the computer for proper operation. Failure to do so may result in
160. login problems for AD users.
162. Rebooting the computer ...
163. Rebooting now ...
164. Install.sh completed successfully.
165. root@redmine:/usr/local/src#
This time the Centrify Express installer completed without issue. Once you go through the installer completely your server will reboot to lockin the changes and join the domain on boot. Even though rebooting Linux seems fairly silly it is also a great test to make sure your server will join the Windows Domain if it is ever power cycled.
Verify Linux Server Joined Windows Domain: Now on the Domain Controller itself you should look underneath the Computers tree to see if the Linux server displays there as shown in the below example. In the above example the Linux server is named redmine and now displays in the authenticated servers on the Windows Domain Controller.
You should also double check that the centrifydc service is set to start at boot each time. You can do this by installing chkconfig (apt-get install chkconfig) and then running “chkconfig –list | grep centrify” from a shell on the Ubuntu Linux server.

So in my case the next steps involved configuring Redmine for LDAP and testing Redmine user logins using Windows credentials. All worked without issue and that is why Centrify blows software like likewise-open out of the water for a simple join of a Linux box to a Windows comain.