From time to time it is useful to be able to have Linux systems authenticate off a Windows AD domain controller
Centrify is a third party product that makes this process easy to setup
Centrify provides two versions of their products, the commercial and the free version
For our purposes, the free version provides all the functionality we need
The free version is called Centrify Express and can be found here: Centrify Express Download
DNS Settings
Before you can bind Linux systems to AD they need to use the Windows DNS servers as their DNS resolvers
$ vim /etc/resolv.conf The file should look something like this:
search your.domain.name
nameserver 1.2.3.4
nameserver 1.2.3.5Get Centrify Express
Download Centrify Express Download
Optional: Create "centrify" working directory (archive expands files to current directory)
$ mkdir centrifyMove Centrify downloaded tar file into working directory
$ mv centrify-download-file-name.tgz centrifyMove into working directory
$ cd centrifyUncompress archive
$ tar -xvzf centrify-download-file-name.tgzRun installer
$ sudo ./install-express.shIMPORTANT:
Make sure to run the install-express.sh installer and NOT install.sh
Follow the installer prompts
Install (update) Centrify Suite Express Edition [X]:X
Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:Y
Join an Active Directory domain? (Q|Y|N) [Y]:
Enter the Active Directory authorized user [administrator]: ad-admin-username
Enter the password for the Active Directory user:
Enter the computer name [dcname.windows.domain.name]: dcname
Enter the container DN [Computers]:
Enter the name of the domain controller [auto detect]:
Reboot the computer after installation? (Q|Y|N) [Y]:YQuery an AD user
$ adquery user someuserid
someuserid:x:100664652:100664652:Some User Name:/home/someuserid:/bin/bashQuery all AD users - Probably don't want to do this if you have 100s of users in your AD
$ adquery user
...
long list of users ommited
...NOTE:
Centrify installs its own version of openssh
During Centrify installation, the default openssh is removed and centrify installs its own version
The new sshd configuration files are located at: /etc/centrifydc/ssh
The following options need to be added/modified to /etc/centrifydc/ssh/sshd_config to make X11 forwarding work
X11Forwarding yes:
XAuthLocation /usr/bin/xauthRemove 'Banner' from ssh login:
Banner noneRestart centrify-sshd:
$ /etc/init.d/centrify-sshdGrant access to specific AD users:
Add this line to /etc/centrifydc/centrifydc.conf
pam.allow.users: file:/etc/centrifydc/users.allowCreate /etc/centrifydc/users.allow (one user per line)
Reload Centrify configuration
$ adreload
$ adflushSimilarly, access can be controlled through AD groups:
Uncomment this line in /etc/centrifydc/centrifydc.conf
pam.allow.groups: file:/etc/centrifydc/groups.allowCreate /etc/centrifydc/groups.allow (one group per line)
Reload Centrify configuration
$ adreload
$ adflushBy default, centrify uses /home/USERNAME
To change the home directory, add this line to /etc/centrifydc/centrifydc.conf
auto.schema.homedir: /users/%{user}NOTE: This assumes you have UID/GID mapping in place to match those values on the NFS server with the AD users.
Uncomment this line in /etc/centrifydc/centrifydc.conf
nss.passwd.override: file:/etc/centrifydc/passwd.ovrAdd (for example) the following to /etc/centrifydc/passwd.ovr
+aduser1:::5000:40000:::
+aduser2:::5001:40001:::
+aduser3:::5002:40002:::You can use this file to map an AD username to a different Unix username
You can also override a user's default home directory and shell
The format is:
+adusername:unixusername:::UID:GID:/custom/home/dir:/custom/shellThis line must appear at the bottom of /etc/centrifydc/passwd.ovr
+:::::::