I was working with a coworker today to setup a new Redmine server running on top of Ubunut 12.04 and one of the steps we completed in the process was setting up LDAP authentication in Redmine. Setting up LDAP authentication in Redmine requires the server running Redmine to be joined to the Windows Active Directory domain so I needed a quick way to auth Linux on Active Directory. I have used Centrify in the past and remember it being really easy to setup authentication from any form of Linux to a Windows domain and again it did not disappoint. Follow the directions below to join a Linux server to Active Directory using Centrify Express.
Authenticate Linux To Active Directory On Windows Using Centrify Express:
- Download Centrify Express: First click here to select the proper Centrify download for your Linux version. The current Ubuntu 12.04 Centrify filename is centrify-suite-2013-deb5-x86_64.tgz. You will need to manually download the file and then SCP it over to the server where Centrify needs to be installed.
- SCP To Server & Unpack Centrify: Now as noted above SCP the Centrify agent package to the server that needs to authenticate to Active Directory. I suggest copying the package to /usr/local/src which is a great directory to work from. After getting the package to the server create a centrify directory such as /usr/local/src/centrify and copy the package into this new directory as it unpacks flat. Now use tar to decompress and unpack the Centrify agent package. The files that will be unpacked in the current Centrify agent package are listed below.
- root@redmine:/usr/local/src# tar -zxvf centrify-suite-2013-deb5-x86_64.tgz
- ./adcheck-deb5-x86_64
- ./centrify-suite.cfg
- ./centrifyda-3.0.0-deb5-x86_64.deb
- ./centrifydc-5.1.0-deb5-x86_64.deb
- ./centrifydc-install.cfg
- ./centrifydc-ldapproxy-5.1.0-deb5-x86_64.deb
- ./centrifydc-nis-5.1.0-deb5-x86_64.deb
- ./centrifydc-openssh-6.0p1-5.1.0-deb5-x86_64.deb
- ./install-express.sh
- ./install.sh
- ./release-notes-agent-deb5-x86_64.txt
- ./release-notes-da-deb5-x86_64.txt
- ./release-notes-nis-deb5-x86_64.txt
- ./release-notes-openssh-deb5-x86_64.txt
- root@redmine:/usr/local/src#
- Run Centrify Installer: One of the files you unpacked above was named installer.sh and another named installer-express.sh. In my first pass with the installer I ran “./installer.sh” as seen below however I should have run “./installer-express” though you can still install Centrify Express from the installer.sh file its preferred to use installer-express.sh.So from the /usr/local/src/centrify directory issue the below command and follow through the prompts answering yes to all questions.
- root@redmine:/usr/local/src# ./install.sh***** *****
- ***** WELCOME to the Centrify Suite installer! *****
- ***** *****Detecting local platform ...Running ./adcheck-deb5-x86_64 ...
- OSCHK : Verify that this is a supported OS : Pass
- PATCH : Linux patch check : Pass
- PORTMAP : Verify that portmap or rpcbind is installed : Warning
- : Could not install CentrifyDC-nis package.
- : PORTMAP not installed. Please install required
- : portmap or rpcbind package, which CentrifyDC-nis
- : depends on
- PERL : Verify perl is present and is a good version : Pass
- SAMBA : Inspecting Samba installation : Pass
- SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
- HOSTNAME : Verify hostname setting : Pass
- NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
- DNSPROBE : Probe DNS server 192.168.100.100 : Pass
- DNSCHECK : Analyze basic health of DNS servers : Warning
- : Only one DNS server was found in /etc/resolv.conf.
- : At least one backup DNS server is recommended for
- : enterprise installations.
- : Only one good DNS server was found
- : You might be able to continue but it is likely that you
- : will have problems.
- : Add more good DNS servers into /etc/resolv.conf.
- WHATSSH : Is this an SSH that DirectControl works well with : Pass
- SSH : SSHD version and configuration : Warning
- : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
- :
- : This version of OpenSSH does not seem to be configured for PAM,
- : ChallengeResponse and Kerberos/GSSAPI support.
- : To get Active Directory users to successfully login,
- : you need to configure your OpenSSH with the following options:
- : (display the ones we identified were not set)
- : ChallengeResponseAuthentication yes
- : UsePAM Yes
- :
- : Centrify provides a version of OpenSSH that's configured properly
- : to allow AD users to login and provides Kerberos GSSAPI support.
- :
- : If you install Centrify Express or Centrify Suite
- : Standard or Enterprise Edition, the Centrify build of
- : OpenSSH will be installed automatically. Alternatively
- : you may choose individual Suite packages to install
- : with the Custom install option.
- 3 warnings were encountered during check. We recommend checking these before proceeding
- WARNING: adcheck exited with warning(s).
- With this script, you can perform the following tasks:
- - Install (update) Centrify Suite Enterprise Edition (License required) [E]
- - Install (update) Centrify Suite Standard Edition (License required) [S]
- - Install (update) Centrify Suite Express Edition [X]
- - Custom install (update) of individual packages [C]
- You can type Q at any prompt to quit the installation and exit
- the script without making any changes to your environment.
- How do you want to proceed? (E|S|X|C|Q) [E]:Q
- root@redmine:/usr/local/src/centrify#
Notice that there were 3 warnings so I quit the installer by typing Q followed by enter at the first prompt. You should always allow the check to run with Centrify and then attempt to resolve any errors or warning generated. Two of the warnings I am able to resolve so the next two steps may or may not be part of your installation process depending on what warnings you received during the check. In my case I needed to install portmap and modify the sshd_config file.
- Install portmap On Ubuntu 12.04: One of the warnings from the Centrify check script was related to portmap or rpcbind not being installed. Use the command below to install portmap on Ubuntu 12.04 Precise Pangolin.
- root@redmine:/usr/local/src# apt-get install portmap
- Reading package lists... Done
- Building dependency tree
- Reading state information... Done
- Note, selecting 'rpcbind' instead of 'portmap'
- The following extra packages will be installed:
- libgssglue1 libtirpc1
- The following NEW packages will be installed:
- libgssglue1 libtirpc1 rpcbind
- 0 upgraded, 3 newly installed, 0 to remove and 72 not upgraded.
- Need to get 150 kB of archives.
- After this operation, 519 kB of additional disk space will be used.
- Do you want to continue [Y/n]? Y
- Get:1 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libgssglue1 amd64 0.3-4ubuntu0.1 [22.5 kB]
- Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/main libtirpc1 amd64 0.2.2-5 [84.2 kB]
- Get:3 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main rpcbind amd64 0.2.0-7ubuntu1.2 [42.9 kB]
- Fetched 150 kB in 0s (357 kB/s)
- Selecting previously unselected package libgssglue1.
- (Reading database ... 60692 files and directories currently installed.)
- Unpacking libgssglue1 (from .../libgssglue1_0.3-4ubuntu0.1_amd64.deb) ...
- Selecting previously unselected package libtirpc1.
- Unpacking libtirpc1 (from .../libtirpc1_0.2.2-5_amd64.deb) ...
- Selecting previously unselected package rpcbind.
- Unpacking rpcbind (from .../rpcbind_0.2.0-7ubuntu1.2_amd64.deb) ...
- Processing triggers for man-db ...
- Processing triggers for ureadahead ...
- ureadahead will be reprofiled on next reboot
- Setting up libgssglue1 (0.3-4ubuntu0.1) ...
- Setting up libtirpc1 (0.2.2-5) ...
- Setting up rpcbind (0.2.0-7ubuntu1.2) ...
- Removing any system startup links for /etc/init.d/rpcbind ...
- portmap start/running, process 9396
- Processing triggers for libc-bin ...
- ldconfig deferred processing now taking place
- root@redmine:/usr/local/src/centrify#
- Modify sshd_config On Ubuntu: Next I needed to modify the sshd_config file to allow challenge/response authentication. So PAM was already set to yes in my sshd_config. Search the /etc/ssh/sshd_config file for ChallengeResponseAuthentication and verify it is not commented out and also make sure it is set to Yes and not No. In my case I modified the old line below to become the new line output below it.
- old: ChallengeResponseAuthentication no
- new: ChallengeResponseAuthentication yes
Once you have modified the sshd_config you will need to restart SSH using “/etc/init.d/ssh restart” or “service ssh restart” for the changes to become
- Run Centrify Express Installer Again: It is not time to run the Centrify Express installer again once you have resolved all warnings and/or errors noted in the first check. This time the only warnings were regarding the fact that this setup only had a single Windows Domain Controller.
- root@redmine:/usr/local/src# ./install-express.sh
- ***** *****
- ***** WELCOME to the Centrify Express installer! *****
- ***** *****
- Detecting local platform ...Running ./adcheck-deb5-x86_64 ...
- OSCHK : Verify that this is a supported OS : Pass
- PATCH : Linux patch check : Pass
- PORTMAP : Verify that portmap or rpcbind is installed : Pass
- PERL : Verify perl is present and is a good version : Pass
- SAMBA : Inspecting Samba installation : Pass
- SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
- HOSTNAME : Verify hostname setting : Pass
- NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
- DNSPROBE : Probe DNS server 192.168.100.100 : Pass
- DNSPROBE : Probe DNS server 4.2.2.2 : Warning
- : This DNS server does not respond to requests. This is a serious problemDNSCHECK : Analyze basic health of DNS servers : Warning
- : One or more DNS servers are dead or marginal.
- : Check the following IP addresses in /etc/resolv.conf.
- :
- : The following table lists the state of all configured
- : DNS servers.
- : 38.97.236.148 (vmscan8.accuvant.com): OK
- : 4.2.2.2 (b.resolvers.Level3.net): dead
- : Only one good DNS server was found
- : You might be able to continue but it is likely that you
- : will have problems.
- : Add more good DNS servers into /etc/resolv.conf.WHATSSH : Is this an SSH that DirectControl works well with : Pass
- SSH : SSHD version and configuration : Note
- : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
- :
- : If you install Centrify Express or Centrify Suite
- : Standard or Enterprise Edition, the Centrify build of
- : OpenSSH will be installed automatically. Alternatively
- : you may choose individual Suite packages to install
- : with the Custom install option.
- 2 warnings were encountered during check. We recommend checking these before proceeding
- WARNING: adcheck exited with warning(s).
- With this script, you can perform the following tasks:
- - Install (update) Centrify Suite Enterprise Edition (License required) [E]
- - Install (update) Centrify Suite Standard Edition (License required) [S]
- - Install (update) Centrify Suite Express Edition [X]
- - Custom install (update) of individual packages [C]
- You can type Q at any prompt to quit the installation and exit
- the script without making any changes to your environment.
- How do you want to proceed? (E|S|X|C|Q) [X]:
- Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:
- Please enter the Active Directory domain to check [company.com]: example.com
- Join an Active Directory domain? (Q|Y|N) [Y]:
- Enter the Active Directory domain to join [example.com]:
- Enter the Active Directory authorized user [administrator]: redmine
- Enter the password for the Active Directory user:
- Enter the computer name [redmine]:
- Enter the container DN [Computers]:
- Enter the name of the domain controller [auto detect]: dc.example.com
- Reboot the computer after installation? (Q|Y|N) [Y]:
- You chose Centrify Suite Express Edition and entered the following:
- Install CentrifyDC 5.1.0 package: Y
- Install CentrifyDC-nis 5.1.0 package: N
- Install CentrifyDC-openssh 5.1.0 package: Y
- Install CentrifyDC-ldapproxy 5.1.0 package: N
- Install CentrifyDA 3.0.0 package: N
- Run adcheck : Y
- Join an Active Directory domain : Y
- Active Directory domain to join : example.com
- Active Directory authorized user : redmine
- computer name : redmine
- container DN : Computers
- domain controller name : dc.example.com
- Reboot computer : Y
- If this information is correct and you want to proceed, type "Y".
- To change any information, type "N" and enter new information.
- Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:
- Running ./adcheck-deb5-x86_64 ...
- NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
- DNSPROBE : Probe DNS server 192.168.100.100 : Pass
- DNSPROBE : Probe DNS server 4.2.2.2 : Warning
- : This DNS server does not respond to requests. This is a serious problem
- DNSCHECK : Analyze basic health of DNS servers : Warning
- : One or more DNS servers are dead or marginal.
- : Check the following IP addresses in /etc/resolv.conf.
- :
- : The following table lists the state of all configured
- : DNS servers.
- : 192.168.100.100 (dc.example.com): OK
- : 4.2.2.2 (unknown): dead
- : Only one good DNS server was found
- : You might be able to continue but it is likely that you
- : will have problems.
- : Add more good DNS servers into /etc/resolv.conf.
- WHATSSH : Is this an SSH that DirectControl works well with : Pass
- SSH : SSHD version and configuration : Note
- : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
- :
- : If you install Centrify Express or Centrify Suite
- : Standard or Enterprise Edition, the Centrify build of
- : OpenSSH will be installed automatically. Alternatively
- : you may choose individual Suite packages to install
- : with the Custom install option.
- DOMNAME : Check that the domain name is reasonable : Pass
- ADDC : Find domain controllers in DNS : Pass
- ADDNS : DNS lookup of DC dc.example.com : Pass
- ADPORT : Port scan of DC dc.example.com : Pass
- ADDC : Check Domain Controllers : Pass
- ADDNS : DNS lookup of DC dc.example.com : Pass
- GCPORT : Port scan of GC dc.example.com : Pass
- ADGC : Check Global Catalog servers : Pass
- DCUP : Check for operational DCs in example.com : Pass
- SITEUP : Check DCs for example.com in our site : Pass
- DNSSYM : Check DNS server symmetry : Pass
- ADSITE : Check that this machine's subnet is in a site known by AD : Pass
- GSITE : See if we think this is the correct site : Pass
- TIME : Check clock synchronization : Pass
- ADSYNC : Check domains all synchronized : Pass
- 2 warnings were encountered during check. We recommend checking these before proceeding
- WARNING: adcheck exited with warning(s).
- Selecting previously unselected package centrifydc.
- (Reading database ... 60764 files and directories currently installed.)
- Unpacking centrifydc (from .../centrifydc-5.1.0-deb5-x86_64.deb) ...
- Selecting previously unselected package centrifydc-openssh.
- Unpacking centrifydc-openssh (from .../centrifydc-openssh-6.0p1-5.1.0-deb5-x86_64.deb) ...
- Setting up centrifydc (5.1.0-497) ...
- Restoring group.ignore from /etc/centrifydc/custom/ ...
- Restoring user.ignore from /etc/centrifydc/custom/ ...
- Processing triggers for man-db ...
- Processing triggers for ureadahead ...
- Setting up centrifydc-openssh (6.0p1-5.1.0.472) ...
- Joining the Active Directory domain example.com ...
- Using domain controller: dc.example.com writable=true
- Join to domain:example.com, zone:Auto Zone successful
- Centrify DirectControl started.
- Loading domains and trusts information
- Initializing cache
- .
- You have successfully joined the Active Directory domain: example.com
- in the Centrify DirectControl zone: Auto Zone
- You may need to restart other services that rely upon PAM and NSS or simply
- reboot the computer for proper operation. Failure to do so may result in
- login problems for AD users.
- Rebooting the computer ...
- Rebooting now ...
- Install.sh completed successfully.
- root@redmine:/usr/local/src#
This time the Centrify Express installer completed without issue. Once you go through the installer completely your server will reboot to lockin the changes and join the domain on boot. Even though rebooting Linux seems fairly silly it is also a great test to make sure your server will join the Windows Domain if it is ever power cycled.
- Verify Linux Server Joined Windows Domain: Now on the Domain Controller itself you should look underneath the Computers tree to see if the Linux server displays there as shown in the below example. In the above example the Linux server is named redmine and now displays in the authenticated servers on the Windows Domain Controller.
You should also double check that the centrifydc service is set to start at boot each time. You can do this by installing chkconfig (apt-get install chkconfig) and then running “chkconfig –list | grep centrify” from a shell on the Ubuntu Linux server.
So in my case the next steps involved configuring Redmine for LDAP and testing Redmine user logins using Windows credentials. All worked without issue and that is why Centrify blows software like likewise-open out of the water for a simple join of a Linux box to a Windows domain.
Click here for more information about Centrify Express or click here for more Centrify related articles.
Thank you, very useful.
In this case, just for testing purposes, how can we revert the join process, I mean, how to remove from the domain a pc. Thanks again
(Sorry for my english.)