Authenticate Linux To Active Directory On Windows – Centrify Express

I was working with a coworker today to setup a new Redmine server running on top of Ubunut 12.04 and one of the steps we completed in the process was setting up LDAP authentication in Redmine. Setting up LDAP authentication in Redmine requires the server running Redmine to be joined to the Windows Active Directory domain so I needed a quick way to auth Linux on Active Directory. I have used Centrify in the past and remember it being really easy to setup authentication from any form of Linux to a Windows domain and again it did not disappoint. Follow the directions below to join a Linux server to Active Directory using Centrify Express.

Authenticate Linux To Active Directory On Windows Using Centrify Express:

1. Download Centrify Express: First click here to select the proper Centrify download for your Linux version. The current Ubuntu 12.04 Centrify filename is centrify-suite-2013-deb5-x86_64.tgz. You will need to manually download the file and then SCP it over to the server where Centrify needs to be installed. 
2. SCP To Server & Unpack Centrify: Now as noted above SCP the Centrify agent package to the server that needs to authenticate to Active Directory. I suggest copying the package to /usr/local/src which is a great directory to work from. After getting the package to the server create a centrify directory such as /usr/local/src/centrify and copy the package into this new directory as it unpacks flat. Now use tar to decompress and unpack the Centrify agent package. The files that will be unpacked in the current Centrify agent package are listed below.
   bash

   
   

   1. root@redmine:/usr/local/src# tar -zxvf centrify-suite-2013-deb5-x86_64.tgz
   2. ./adcheck-deb5-x86_64
   3. ./centrify-suite.cfg
   4. ./centrifyda-3.0.0-deb5-x86_64.deb
   5. ./centrifydc-5.1.0-deb5-x86_64.deb
   6. ./centrifydc-install.cfg
   7. ./centrifydc-ldapproxy-5.1.0-deb5-x86_64.deb
   8. ./centrifydc-nis-5.1.0-deb5-x86_64.deb
   9. ./centrifydc-openssh-6.0p1-5.1.0-deb5-x86_64.deb
   10. ./install-express.sh
   11. ./install.sh
   12. ./release-notes-agent-deb5-x86_64.txt
   13. ./release-notes-da-deb5-x86_64.txt
   14. ./release-notes-nis-deb5-x86_64.txt
   15. ./release-notes-openssh-deb5-x86_64.txt
   16. root@redmine:/usr/local/src#
3. Run Centrify Installer: One of the files you unpacked above was named installer.sh and another named installer-express.sh. In my first pass with the installer I ran “./installer.sh” as seen below however I should have run “./installer-express” though you can still install Centrify Express from the installer.sh file its preferred to use installer-express.sh.So from the /usr/local/src/centrify directory issue the below command and follow through the prompts answering yes to all questions.
   bash

   
   

   1. root@redmine:/usr/local/src# ./install.sh***** *****
   2. ***** WELCOME to the Centrify Suite installer! *****
   3. ***** *****Detecting local platform ...Running ./adcheck-deb5-x86_64 ...
   4. OSCHK : Verify that this is a supported OS : Pass
   5. PATCH : Linux patch check : Pass
   6. PORTMAP : Verify that portmap or rpcbind is installed : Warning
   7. : Could not install CentrifyDC-nis package.
   8. : PORTMAP not installed. Please install required
   9. : portmap or rpcbind package, which CentrifyDC-nis
   10. : depends on
   11.  
   12. PERL : Verify perl is present and is a good version : Pass
   13. SAMBA : Inspecting Samba installation : Pass
   14. SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
   15. HOSTNAME : Verify hostname setting : Pass
   16. NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
   17. DNSPROBE : Probe DNS server 192.168.100.100 : Pass
   18. DNSCHECK : Analyze basic health of DNS servers : Warning
   19. : Only one DNS server was found in /etc/resolv.conf.
   20. : At least one backup DNS server is recommended for
   21. : enterprise installations.
   22. : Only one good DNS server was found
   23. : You might be able to continue but it is likely that you
   24. : will have problems.
   25. : Add more good DNS servers into /etc/resolv.conf.
   26.  
   27. WHATSSH : Is this an SSH that DirectControl works well with : Pass
   28. SSH : SSHD version and configuration : Warning
   29. : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
   30. :
   31. : This version of OpenSSH does not seem to be configured for PAM,
   32. : ChallengeResponse and Kerberos/GSSAPI support.
   33. : To get Active Directory users to successfully login,
   34. : you need to configure your OpenSSH with the following options:
   35. : (display the ones we identified were not set)
   36. : ChallengeResponseAuthentication yes
   37. : UsePAM Yes
   38. :
   39. : Centrify provides a version of OpenSSH that's configured properly
   40. : to allow AD users to login and provides Kerberos GSSAPI support.
   41. :
   42. : If you install Centrify Express or Centrify Suite
   43. : Standard or Enterprise Edition, the Centrify build of
   44. : OpenSSH will be installed automatically. Alternatively
   45. : you may choose individual Suite packages to install
   46. : with the Custom install option.
   47.  
   48. 3 warnings were encountered during check. We recommend checking these before proceeding
   49.  
   50. WARNING: adcheck exited with warning(s).
   51.  
   52. With this script, you can perform the following tasks:
   53. - Install (update) Centrify Suite Enterprise Edition (License required) [E]
   54. - Install (update) Centrify Suite Standard Edition (License required) [S]
   55. - Install (update) Centrify Suite Express Edition [X]
   56. - Custom install (update) of individual packages [C]
   57.  
   58. You can type Q at any prompt to quit the installation and exit
   59. the script without making any changes to your environment.
   60.  
   61. How do you want to proceed? (E|S|X|C|Q) [E]:Q
   62. root@redmine:/usr/local/src/centrify#

   Notice that there were 3 warnings so I quit the installer by typing Q followed by enter at the first prompt. You should always allow the check to run with Centrify and then attempt to resolve any errors or warning generated. Two of the warnings I am able to resolve so the next two steps may or may not be part of your installation process depending on what warnings you received during the check. In my case I needed to install portmap and modify the sshd_config file.

4. Install portmap On Ubuntu 12.04: One of the warnings from the Centrify check script was related to portmap or rpcbind not being installed. Use the command below to install portmap on Ubuntu 12.04 Precise Pangolin.
   bash

   
   

   1. root@redmine:/usr/local/src# apt-get install portmap
   2. Reading package lists... Done
   3. Building dependency tree
   4. Reading state information... Done
   5. Note, selecting 'rpcbind' instead of 'portmap'
   6. The following extra packages will be installed:
   7. libgssglue1 libtirpc1
   8. The following NEW packages will be installed:
   9. libgssglue1 libtirpc1 rpcbind
   10. 0 upgraded, 3 newly installed, 0 to remove and 72 not upgraded.
   11. Need to get 150 kB of archives.
   12. After this operation, 519 kB of additional disk space will be used.
   13. Do you want to continue [Y/n]? Y
   14. Get:1 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main libgssglue1 amd64 0.3-4ubuntu0.1 [22.5 kB]
   15. Get:2 http://us.archive.ubuntu.com/ubuntu/ precise/main libtirpc1 amd64 0.2.2-5 [84.2 kB]
   16. Get:3 http://us.archive.ubuntu.com/ubuntu/ precise-updates/main rpcbind amd64 0.2.0-7ubuntu1.2 [42.9 kB]
   17. Fetched 150 kB in 0s (357 kB/s)
   18. Selecting previously unselected package libgssglue1.
   19. (Reading database ... 60692 files and directories currently installed.)
   20. Unpacking libgssglue1 (from .../libgssglue1_0.3-4ubuntu0.1_amd64.deb) ...
   21. Selecting previously unselected package libtirpc1.
   22. Unpacking libtirpc1 (from .../libtirpc1_0.2.2-5_amd64.deb) ...
   23. Selecting previously unselected package rpcbind.
   24. Unpacking rpcbind (from .../rpcbind_0.2.0-7ubuntu1.2_amd64.deb) ...
   25. Processing triggers for man-db ...
   26. Processing triggers for ureadahead ...
   27. ureadahead will be reprofiled on next reboot
   28. Setting up libgssglue1 (0.3-4ubuntu0.1) ...
   29. Setting up libtirpc1 (0.2.2-5) ...
   30. Setting up rpcbind (0.2.0-7ubuntu1.2) ...
   31. Removing any system startup links for /etc/init.d/rpcbind ...
   32. portmap start/running, process 9396
   33. Processing triggers for libc-bin ...
   34. ldconfig deferred processing now taking place
   35. root@redmine:/usr/local/src/centrify#
5. Modify sshd_config On Ubuntu: Next I needed to modify the sshd_config file to allow challenge/response authentication. So PAM was already set to yes in my sshd_config. Search the /etc/ssh/sshd_config file for ChallengeResponseAuthentication and verify it is not commented out and also make sure it is set to Yes and not No. In my case I modified the old line below to become the new line output below it.
   bash

   
   

   1. old: ChallengeResponseAuthentication no
   2. new: ChallengeResponseAuthentication yes

   Once you have modified the sshd_config you will need to restart SSH using “/etc/init.d/ssh restart” or “service ssh restart” for the changes to become

6. Run Centrify Express Installer Again: It is not time to run the Centrify Express installer again once you have resolved all warnings and/or errors noted in the first check. This time the only warnings were regarding the fact that this setup only had a single Windows Domain Controller.
   bash

   
   

   1. root@redmine:/usr/local/src# ./install-express.sh
   2. *****                                                                   *****
   3. *****             WELCOME to the Centrify Express installer!            *****
   4. *****                                                                   *****
   5. Detecting local platform ...Running ./adcheck-deb5-x86_64 ...
   6. OSCHK    : Verify that this is a supported OS                          : Pass
   7. PATCH    : Linux patch check                                           : Pass
   8. PORTMAP  : Verify that portmap or rpcbind is installed                 : Pass
   9. PERL     : Verify perl is present and is a good version                : Pass
   10. SAMBA    : Inspecting Samba installation                               : Pass
   11. SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass
   12. HOSTNAME : Verify hostname setting                                     : Pass
   13. NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
   14. DNSPROBE : Probe DNS server 192.168.100.100                            : Pass
   15. DNSPROBE : Probe DNS server 4.2.2.2                                    : Warning
   16. : This DNS server does not respond to requests. This is a serious problemDNSCHECK : Analyze basic health of DNS servers                         : Warning
   17. : One or more DNS servers are dead or marginal.
   18. : Check the following IP addresses in /etc/resolv.conf.
   19. :
   20. : The following table lists the state of all configured
   21. : DNS servers.
   22. :  38.97.236.148 (vmscan8.accuvant.com): OK
   23. :  4.2.2.2 (b.resolvers.Level3.net): dead
   24. : Only one good DNS server was found
   25. : You might be able to continue but it is likely that you
   26. : will have problems.
   27. : Add more good DNS servers into /etc/resolv.conf.WHATSSH  : Is this an SSH that DirectControl works well with           : Pass
   28. SSH      : SSHD version and configuration                              : Note
   29. : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
   30. :
   31. : If you install Centrify Express or Centrify Suite
   32. : Standard or Enterprise Edition, the Centrify build of
   33. : OpenSSH will be installed automatically. Alternatively
   34. : you may choose individual Suite packages to install
   35. : with the Custom install option.
   36.  
   37. 2 warnings were encountered during check. We recommend checking these before proceeding
   38.  
   39. WARNING: adcheck exited with warning(s).
   40.  
   41. With this script, you can perform the following tasks:
   42. - Install (update) Centrify Suite Enterprise Edition (License required) [E]
   43. - Install (update) Centrify Suite Standard Edition (License required) [S]
   44. - Install (update) Centrify Suite Express Edition [X]
   45. - Custom install (update) of individual packages [C]
   46.  
   47. You can type Q at any prompt to quit the installation and exit
   48. the script without making any changes to your environment.
   49.  
   50. How do you want to proceed? (E|S|X|C|Q) [X]:
   51. Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:
   52.  
   53. Please enter the Active Directory domain to check [company.com]: example.com
   54. Join an Active Directory domain? (Q|Y|N) [Y]:
   55. Enter the Active Directory domain to join [example.com]:
   56. Enter the Active Directory authorized user [administrator]: redmine
   57. Enter the password for the Active Directory user:
   58. Enter the computer name [redmine]:
   59. Enter the container DN [Computers]:
   60. Enter the name of the domain controller [auto detect]: dc.example.com
   61. Reboot the computer after installation? (Q|Y|N) [Y]:
   62.  
   63. You chose Centrify Suite Express Edition and entered the following:
   64. Install CentrifyDC 5.1.0 package: Y
   65. Install CentrifyDC-nis 5.1.0 package: N
   66. Install CentrifyDC-openssh 5.1.0 package: Y
   67. Install CentrifyDC-ldapproxy 5.1.0 package: N
   68. Install CentrifyDA 3.0.0 package: N
   69. Run adcheck                      : Y
   70. Join an Active Directory domain  : Y
   71. Active Directory domain to join  : example.com
   72. Active Directory authorized user : redmine
   73. computer name                    : redmine
   74. container DN                     : Computers
   75. domain controller name           : dc.example.com
   76. Reboot computer                  : Y
   77.  
   78. If this information is correct and you want to proceed, type "Y".
   79. To change any information, type "N" and enter new information.
   80. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:
   81.  
   82. Running ./adcheck-deb5-x86_64 ...
   83. NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
   84. DNSPROBE : Probe DNS server 192.168.100.100                            : Pass
   85. DNSPROBE : Probe DNS server 4.2.2.2                                    : Warning
   86. : This DNS server does not respond to requests. This is a serious problem
   87.  
   88. DNSCHECK : Analyze basic health of DNS servers                         : Warning
   89. : One or more DNS servers are dead or marginal.
   90. : Check the following IP addresses in /etc/resolv.conf.
   91. :
   92. : The following table lists the state of all configured
   93. : DNS servers.
   94. :  192.168.100.100 (dc.example.com): OK
   95. :  4.2.2.2 (unknown): dead
   96. : Only one good DNS server was found
   97. : You might be able to continue but it is likely that you
   98. : will have problems.
   99. : Add more good DNS servers into /etc/resolv.conf.
   100.  
   101. WHATSSH  : Is this an SSH that DirectControl works well with           : Pass
   102. SSH      : SSHD version and configuration                              : Note
   103. : You are running OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012.
   104. :
   105. : If you install Centrify Express or Centrify Suite
   106. : Standard or Enterprise Edition, the Centrify build of
   107. : OpenSSH will be installed automatically. Alternatively
   108. : you may choose individual Suite packages to install
   109. : with the Custom install option.
   110.  
   111. DOMNAME  : Check that the domain name is reasonable                    : Pass
   112. ADDC     : Find domain controllers in DNS                              : Pass
   113. ADDNS    : DNS lookup of DC dc.example.com                      : Pass
   114. ADPORT   : Port scan of DC dc.example.com                       : Pass
   115. ADDC     : Check Domain Controllers                                    : Pass
   116. ADDNS    : DNS lookup of DC dc.example.com                      : Pass
   117. GCPORT   : Port scan of GC dc.example.com                       : Pass
   118. ADGC     : Check Global Catalog servers                                : Pass
   119. DCUP     : Check for operational DCs in example.com               : Pass
   120. SITEUP   : Check DCs for example.com in our site                  : Pass
   121. DNSSYM   : Check DNS server symmetry                                   : Pass
   122. ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass
   123. GSITE    : See if we think this is the correct site                    : Pass
   124. TIME     : Check clock synchronization                                 : Pass
   125. ADSYNC   : Check domains all synchronized                              : Pass
   126. 2 warnings were encountered during check. We recommend checking these before proceeding
   127.  
   128. WARNING: adcheck exited with warning(s).
   129. Selecting previously unselected package centrifydc.
   130. (Reading database ... 60764 files and directories currently installed.)
   131. Unpacking centrifydc (from .../centrifydc-5.1.0-deb5-x86_64.deb) ...
   132. Selecting previously unselected package centrifydc-openssh.
   133. Unpacking centrifydc-openssh (from .../centrifydc-openssh-6.0p1-5.1.0-deb5-x86_64.deb) ...
   134. Setting up centrifydc (5.1.0-497) ...
   135. Restoring group.ignore from /etc/centrifydc/custom/ ...
   136. Restoring user.ignore from /etc/centrifydc/custom/ ...
   137. Processing triggers for man-db ...
   138. Processing triggers for ureadahead ...
   139. Setting up centrifydc-openssh (6.0p1-5.1.0.472) ...
   140. Joining the Active Directory domain example.com ...
   141. Using domain controller: dc.example.com writable=true
   142. Join to domain:example.com, zone:Auto Zone successful
   143.  
   144. Centrify DirectControl started.
   145. Loading domains and trusts information
   146.  
   147. Initializing cache
   148. .
   149. You have successfully joined the Active Directory domain: example.com
   150. in the Centrify DirectControl zone: Auto Zone
   151.  
   152. You may need to restart other services that rely upon PAM and NSS or simply
   153. reboot the computer for proper operation.  Failure to do so may result in
   154. login problems for AD users.
   155.  
   156. Rebooting the computer ...
   157. Rebooting now ...
   158. Install.sh completed successfully.
   159. root@redmine:/usr/local/src#

   This time the Centrify Express installer completed without issue. Once you go through the installer completely your server will reboot to lockin the changes and join the domain on boot. Even though rebooting Linux seems fairly silly it is also a great test to make sure your server will join the Windows Domain if it is ever power cycled.

7. Verify Linux Server Joined Windows Domain: Now on the Domain Controller itself you should look underneath the Computers tree to see if the Linux server displays there as shown in the below example. In the above example the Linux server is named redmine and now displays in the authenticated servers on the Windows Domain Controller.
   You should also double check that the centrifydc service is set to start at boot each time. You can do this by installing chkconfig (apt-get install chkconfig) and then running “chkconfig –list | grep centrify” from a shell on the Ubuntu Linux server.

So in my case the next steps involved configuring Redmine for LDAP and testing Redmine user logins using Windows credentials. All worked without issue and that is why Centrify blows software like likewise-open out of the water for a simple join of a Linux box to a Windows domain.

Click here for more information about Centrify Express or click here for more Centrify related articles.