28

Jun 2015

Atlassian Applications in Azure – Part 6, Centrify

Greg Van Den Ham Atlassian, Linux Server 0 Comments

Centrify, allows for central user management from Active Directory. Works great on multiple platforms, but in this case, we’re using it for the Atlasssian linux boxes.

This would actually be great as a part 1.. and if you haven’t started with all this yet, do this first then.

Ready? – oK.

First up- do a little work on your domain, to add specific groups and users.

CentrifyAD

Preparation for the Linux Box to join Centrify. Hugely important. If this is wrong, you’re going all the way wrong.

1. Change of Hostname for the Linux Computer. (Do this only if you haven’t gotten the system up yet – not a great idea to do last – things will break.. otherwise skip directly to #3 – resolv.conf DNS file)

Changing the hostname on CentOS

Step 1: Edit on /etc/sysconfig/network
[gvandenham@PostGresDB1 ~]$ vi /etc/sysconfig/network
Change the line- HOSTNAME=myserver.name.com

Step 2: Edit /etc/hostname
[gvandenham@PostGresDB1 ~]$ vi /etc/hostname
Change the line – myserver.name.com

Step 3: Run hostname to update the hostname of the system.
[gvandenham@PostGresDB1 ~]$ hostname -F /etc/hostname

2. Ensure your /etc/nsswitch.conf contains the following lines
[gvandenham@PostGresDB1 ~]$ cat /etc/nsswitch.conf
hosts: files dns
See man page for nsswitch.conf for more information on configuring for nsswitch

3. Ensure your resolv.conf includes a DNS Server than resolve SRV records for your domain

[gvandenham@PostGresDB1 ~]$ less /etc/resolv.conf
You should get something like

search example.com
nameserver 192.168.1.5
Fix the dns server to point to the domain server
[gvandenham@PostGresDB1 ~]$ sudo -u root vi /etc/resolv.conf

CentrifyDNS

Create directory to copy certify install to

Gregorys-MacBook-Pro:~ gvandenham$ ssh [email protected]
[email protected]’s password:
Last login: Sun Jun 28 17:48:21 2015 from c-50-129-xx-xxx.hsd1.il.comcast.net

[gvandenham@PostGresDB1 ~]$ mkdir centrify_install

Copy centrify software from local system to server:

Gregorys-MacBook-Pro:downloads gvandenham$ scp centrify-suite-2015-rhel3-x86_64.tgz [email protected]:/home/gvandenham/centrify_install/
[email protected]’s password:
centrify-suite-2015-rhel3-x86_64.tgz 78% 34MB 2.8MB/s 00:03 ETA

Change the file permissions to allow it to execute, create the expansion directory, expand the contents, and take a tour of the directory

[gvandenham@PostGresDB1 ~]$ cd centrify_install/
[gvandenham@PostGresDB1 centrify_install]$ ls
centrify-suite-2015-rhel3-x86_64.tgz
[gvandenham@PostGresDB1 centrify_install]$ chmod a+x centrify-suite-2015-rhel3-x86_64.tgz

[gvandenham@PostGresDB1 centrify_install]$ sudo -u root mkdir /usr/src/centrify
[sudo] password for gvandenham:
[gvandenham@PostGresDB1 centrify_install]$ sudo -u root tar -xf centrify-suite-2015-rhel3-x86_64.tgz -C /usr/src/centrify/
[gvandenham@PostGresDB1 centrify_install]$ cd /usr/src/centrify
[gvandenham@PostGresDB1 centrify]$ ls
adcheck-rhel3-x86_64
centrifyda-3.2.2-rhel3-x86_64.rpm
centrifydc-5.2.2-rhel3-x86_64.rpm
centrifydc-install.cfg
centrifydc-ldapproxy-5.2.2-rhel3-x86_64.rpm
centrifydc-nis-5.2.2-rhel3-x86_64.rpm
centrifydc-openssh-6.6p1-5.2.2-rhel3-x86_64.rpm
centrify-suite.cfg
install-express.sh
install.sh
release-notes-agent-rhel3-x86_64.txt
release-notes-da-rhel3-x86_64.txt
release-notes-nis-rhel3-x86_64.txt
release-notes-openssh-rhel3-x86_64.txt
[gvandenham@PostGresDB1 centrify]$

Install centrify

[gvandenham@PostGresDB1 centrify]$ sudo -u root ./install-express.sh

***** *****
***** WELCOME to the Centrify Express installer! *****
***** *****

Detecting local platform …

Running ./adcheck-rhel3-x86_64 …
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting Samba installation : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
HOSTNAME : Verify hostname setting : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 100.112.208.5 : Pass
DNSCHECK : Analyze basic health of DNS servers : Warning
: One or more DNS servers are dead or marginal.
: Check the following IP addresses in /etc/resolv.conf.
:
: The following table lists the state of all configured
: DNS servers.
: 100.112.208.5 (unknown): marginal

WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Warning
: You are running OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013.
:
: This version of OpenSSH does not seem to be configured for PAM,
: ChallengeResponse and Kerberos/GSSAPI support.
: To get Active Directory users to successfully login,
: you need to configure your OpenSSH with the following options:
: (display the ones we identified were not set)
: ChallengeResponseAuthentication yes
: UsePAM Yes
:
: Centrify provides a version of OpenSSH that’s configured properly
: to allow AD users to login and provides Kerberos GSSAPI support.
:
: If you install Centrify Express or Centrify Suite
: Standard or Enterprise Edition, the Centrify build of
: OpenSSH will be installed automatically. Alternatively
: you may choose individual Suite packages to install
: with the Custom install option.

2 warnings were encountered during check. We recommend checking these before proceeding

WARNING: adcheck exited with warning(s).

With this script, you can perform the following tasks:
– Install (update) Centrify Suite Enterprise Edition (License required) [E]
– Install (update) Centrify Suite Standard Edition (License required) [S]
– Install (update) Centrify Suite Express Edition [X]
– Custom install (update) of individual packages [C]

You can type Q at any prompt to quit the installation and exit
the script without making any changes to your environment.

How do you want to proceed? (E|S|X|C|Q) [X]: X

The Express mode license allows you to install a total of 200 agents.
The Express mode license does not allow the use of licensed features for
advanced authentication, access control, auditing, and centralized
management. This includes, but is not limited to features such as
SmartCard authentication, DirectAuthorize, DirectAudit, Group Policy,
Login User Filtering, and NSS overrides.

Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:Y

Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:N
Join an Active Directory domain? (Q|Y|N) [Y]:Y
Enter the Active Directory domain to join [company.com]: dev.net
Enter the Active Directory authorized user [administrator]: gvandenh
Enter the password for the Active Directory user:
Enter the computer name [PostGresDB1]:
Enter the container DN [Computers]:
Enter the name of the domain controller [auto detect]: SprocketDC1
Reboot the computer after installation? (Q|Y|N) [Y]:N

You chose Centrify Suite Express Edition and entered the following:
Install CentrifyDC 5.2.2 package: Y
Install CentrifyDC-nis 5.2.2 package: N
Install CentrifyDC-openssh 5.2.2 package: Y
Install CentrifyDC-ldapproxy 5.2.2 package: N
Install CentrifyDA 3.2.2 package: N
Run adcheck : N
Join an Active Directory domain : Y
Active Directory domain to join : dev.net
Active Directory authorized user : gvandenham
computer name : PostGresDB1
container DN : Computers
domain controller name : SprocketDC1
Reboot computer : N

If this information is correct and you want to proceed, type “Y”.
To change any information, type “N” and enter new information.
Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:
Preparing packages…
CentrifyDC-5.2.2-186.x86_64
CentrifyDC-openssh-6.6p1-5.2.2.186.x86_64
Joining the Active Directory domain dev.net …
Using domain controller: sprocketdc1 writable=true
Join to domain:dev.net, zone:Auto Zone successful

Centrify DirectControl started.
Loading domains and trusts information
………………………….
………………………..

Could not get the domain prefix map in allotted time.
If there are conflicts it could cause two or more users to have the same UID.
You can increase the parameter “adjoin.adclient.wait.seconds” to wait longer.
See /etc/centrifydc/centrifydc.conf.

Initializing cache
.
You have successfully joined the Active Directory domain: dev.net
in the Centrify DirectControl zone: Auto Zone

You may need to restart other services that rely upon PAM and NSS or simply
reboot the computer for proper operation. Failure to do so may result in
login problems for AD users.

Install.sh completed successfully.
[gvandenham@PostGresDB1 centrify]$

CentrifyADJoined

Now it’s time to edit one monster of a config file.

vi is a good friend if you remember you can search for strings using ‘/‘. remember the ‘i’ for insert, ‘esc’ to stop insert, and ‘ZZ’ to exit ad write.

[gvandenham@PostGresDB1 centrify]$ cd /etc/centrifydc/
[gvandenham@PostGresDB1 centrifydc]$ ls
adobfuscate.conf gid.ignore openldap uid.ignore
apu.lst group.ignore passwd.ovr.sample upgradeconf.conf
centrifydc.conf group.ovr.sample scripts user.ignore
defaults.conf old ssh

[gvandenham@PostGresDB1 centrifydc]$ sudo -u root vi centrifydc.conf
[sudo] password for gvandenham:

We’re going to uncomment 3 variables in the file (remember ‘/‘ search for the variable, edit, esc, search for the next, edit…):

pam.homedir.create.mesg: Created home directory
pam.homedir.create: true
auto.schema.homedir: /home/dev.net/%{user}” (note with this one I’ve added the domain into the file path to help with the clutter of logins.)

CentrifyHomeDir

Remember to make the directory you just spec’d in the config, or you’ll have an issue to work out later 🙂

[gvandenham@PostGresDB1 centrifydc]$ sudo -u root mkdir /home/dev.net/
[sudo] password for gvandenham:
[gvandenham@PostGresDB1 centrifydc]$

Modify the etc/sudoers file with the domain group allowed full control to the server. In this case the one we created earlier in active directory “Atlasssian_System_Admins”

[gvandenham@PostGresDB1 etc]$ sudo -u root visudo
[gvandenham@PostGresDB1 etc]$

CentrifyConfigFile

Login with the account and browse around, test access.

Gregorys-MacBook-Pro:~ gvandenham$ ssh [email protected]
S
Kernel 3.10.0-229.4.2.el7.x86_64 on an x86_64

Password:
Created home directory
[gtothev@PostGresDB1 ~]$ ls
[gtothev@PostGresDB1 ~]$ cd /
[gtothev@PostGresDB1 /]$ ls
bin dev home lib64 media opt root sbin sys usr
boot etc lib lost+found mnt proc run srv tmp var
[gtothev@PostGresDB1 /]$ cd home
[gtothev@PostGresDB1 home]$ ls
dev.net gvandenham
[gtothev@PostGresDB1 home]$ cd dev.net
[gtothev@PostGresDB1 dev.net]$ ls
gtothev gvandenham
[gtothev@PostGresDB1 dev.net]$

If you have problems with Centrify, here’s some quick troubleshooting commands

[gvandenham@PostGresDB1 ~]$ adcheck dev.net –servername sprocketdc1
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting Samba installation : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
HOSTNAME : Verify hostname setting : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 100.112.150.44 : Pass
DNSPROBE : Probe DNS server 100.112.208.5 : Pass
DNSCHECK : Analyze basic health of DNS servers : Warning
: One or more DNS servers are dead or marginal.
: Check the following IP addresses in /etc/resolv.conf.
:
: The following table lists the state of all configured
: DNS servers.
: 100.112.150.44 (unknown): OK
: 100.112.208.5 (unknown): marginal
: Only one good DNS server was found
: You might be able to continue but it is likely that you
: will have problems.
: Add more good DNS servers into /etc/resolv.conf.

SRVOPT : Checking that the -s server exists : Pass
WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Pass
DOMNAME : Check that the domain name is reasonable : Pass
ADDNS : DNS lookup of DC sprocketdc1 : Warning
: Cannot resolve the IP address for sprocketdc1.

ADDC : Check Domain Controllers : Failed
: None of the DCs can be resolved.

ADGC : Check Global Catalog servers : Note
: Server is specified. GC check is skipped.

DCUP : Check for operational DCs in dev.net : Failed
: No working domain controllers were found.

2 serious issues were encountered during check. These must be fixed before proceeding
2 warnings were encountered during check. We recommend checking these before proceeding
Note: You specified a server name on the command line. You must specify this on the adjoin command
and in the Centrify configuration file once you have installed DirectControl
[gvandenham@PostGresDB1 ~]$

adinfo -A -u GtotheV – check’s users password

[gtothev@PostGresDB1 dev.net]$ adinfo -A -u GtotheV
Active Directory password:
Password for user “GtotheV” is correct
[gtothev@PostGresDB1 dev.net]$

adquery user GtotheV -xwclkde – lots of user information

[gtothev@PostGresDB1 dev.net]$ adquery user -xwclkde
gtothev:accountExpires:Never
gtothev:passwordExpires:Mon Aug 10 00:29:34 2015
gtothev:nextPasswordChange:Tue Jun 30 00:29:34 2015
gtothev:lastPasswordChange:Mon Jun 29 00:29:34 2015
gtothev:accountLocked:false
gtothev:accountDisabled:false
gtothev:zoneEnabled:true
Account and password information unavailable. Permission denied.
gvandenham:zoneEnabled:true
[gtothev@PostGresDB1 dev.net]$

Restart Centrify

[gvandenham@PostGresDB1 ~]$ sudo -u root /etc/init.d/centrifydc restart
Restarting centrifydc (via systemctl): [ OK ]
[gvandenham@PostGresDB1 ~]$

Additional Note:

Ever want to bind a machine to a specific OU, for instance you’ve given a AD group delegated rights to a OU.

adjoin -w -c “ou=Dev-Servers” -V -u [email protected] domain.com (where domain.com is your AD forest name).

Delegate rights article: http://sigkillit.com/2013/06/12/delegate-adddelete-computer-objects-in-ad/