× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Not able to login to my unix machine via AD id

Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Participant II
Posts: 4
Registered: ‎03-03-2017
#1 of 7 2,205
Accepted Solution

Not able to login to my unix machine via AD id

Hi Team,

 

I am new to centify, its my first time when I am using centrif. 

I have configured centrify express in my cluster also integreated with AD. I am not able to login into only one servers with ad user though I am able to login into other centrified agent installed servers.

So can someone please help me to figure out this issue. Thnaks in advance.

 

Thnaks

Saurabh 

Participant II
Posts: 4
Registered: ‎03-03-2017
#2 of 7 2,203

Re: Not able to login to my unix machine via AD id

Also I checked adclient and found it not running. 

 

[root@m2 ~]# /etc/init.d/centrifydc status

Centrify DirectControl is stopped

[root@m2 ~]# /etc/init.d/centrifydc start

Starting Centrify DirectControl:

  Failed: machine is not joined.

 

So can anyone help me why I am not able to start it. 

 

Centrify Guru I
Posts: 1,784
Registered: ‎07-26-2012
#3 of 7 2,198

Re: Not able to login to my unix machine via AD id

[ Edited ]

@Saurabh37982,

 

Welcome to the Centrify Express forums.

I moved the thread to the appropriate forum since Server Suite forums is for users of the commercial versions.

 

Please note that for us to be able to give you the help you need, we need to know 3 basic pieces of information:

a) Are you running Express or commercial?  (Express)

b) What is the Operating System and version  (e.g. Red Hat Enterprise Linux 7.2)

c) What is the version of Centrify you're running  (you can run the "adinfo -v" command to see this).  The current supported community version is 5.4.x

 

Please understand the following basic concepts.

 

a) Centrify Express for UNIX/Linux allows ALL add users to log in to the systems.

b) Installing the software alone does not do the job, you have to join Active Directory like you would a Windows system.  This means that you have to provide the credentials of a user with the proper rights to do this.

c) Once you join succesfully, the client will be active and running; however, if you had any local users (e.g. /etc/passwd) that are named the same as AD users, you have to consolidate them.  If you try to log in, you have to supply the AD password instead.

 

 

That being said, it seems you have succesfully installed the client, but you have NOT joined AD.

 

To join AD, you need to run the adjoin command (as root or with sudo) and supply the credentials of an AD user that is authorized to join systems in the target OU.

 

For example, if I want to join  in express/workstation mode (-w) the domain called corp.contoso.com with the user (-u) called fred with verbose (-V) output, and I have privileges via sudo I would run:

 

$ sudo adjoin -w -u fred -V corp.contoso.com

 

This command will prompt you for your sudo password, and then for fred@CORP.CONTOSO.COM's password.  Provided that Fred can join systems to the default Computers container, you'll be fine.

 

For more information about adjoin, please review the man page or the Cheat Sheet below.

 

If you are new to Centrify, here are a few resources:

Centrify Express Documentation:  https://docs.centrify.com/en/css/suite2016/centrify-express-unix-agent-guide.pdf

Centrify commands cheat sheet:  http://community.centrify.com/t5/TechBlog/TIPS-A-Centrify-Server-Suite-Cheat-Sheet/ba-p/22568

My personal blog:  http://centrifying.blogspot.com/search/label/Start%20Here

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 4
Registered: ‎03-03-2017
#4 of 7 2,191

Re: Not able to login to my unix machine via AD id

Hi @Robertson;

 

Thanks for your help, I have resolved the issue by adding client to domain manually.

Also please find the following command output or result of adjoin command. But still I have a one quick question, when I installed agnet via DirectManager console then why it was not added to domain only on this server and how it was added to other server and I did not get any error during deployment steps. 

 

a) Are you running Express or commercial?  (Express)

Answer:  Yes I am using Express version. 

 

b) What is the Operating System and version  (e.g. Red Hat Enterprise Linux 7.2)

Answer : I am on centos 6 OS. 

c) What is the version of Centrify you're running  (you can run the "adinfo -v" command to see this).  The current supported community version is 5.4.x

Answer: I am using adinfo (CentrifyDC 5.4.0-286). 

 

 

[root@m2 ~]# adjoin -w -u saurkuma -V ad.com

saurkuma@AD.COM's password:

Options

-------

Precreate: no

Compatible with 2.x/3.x: no

Enable Apple Scheme to generate UID/GID: no

domain: ad.com

user: saurkuma@AD.COM

container: null

computer name: m2

Pre-Windows 2000 name: m2

DNS Host Name used for dNSHostName attr: null

zone: Auto Zone

server: null

zoneserver: null

gc: null

upn: null

noconf: no

set time: yes

force: no

forceDeleteObj: no

trust: no

des: no

self-serve: no

use ldap to create computer object: no

license type: null

 

Setting time

Using settings from previous join (under previous dir) to same domain

Initializing domain settings file to ad.com

Attempting bind to ad.com(site:) as saurkuma@AD.COM on any server

Using domain controller: adserver.ad.com writable=true

Initializing forest settings file to AD.COM

Using global catalog server: adserver.ad.com

Search for object by samName: filter=(samAccountName=m2$) root=DC=ad,DC=com

Found existing computer object: CN=m2,CN=Computers,DC=ad,DC=com

Using cn=computers,dc=ad,dc=com container for computer object

Saving zone settings

Zone name:    DC=ad,DC=com

Zone version:

Zone schema:  NULL_AUTO

Zone GUID:    00112233445566778899aabbccddeeff

Searching for SPNs in GC...

Update Computer's Security Descriptor to allow computer object to read/write

operating system and operating system version properties as well as reset password.

Looking for ntSecurityDescriptor for object CN=m2,CN=Computers,DC=ad,DC=com ....

Checking if the required permissions exist.

Unset "Trust for delegation" bit.

Unset "Use Des Key Only" bit.

Set operatingSystemVersion to "6.1:6.6", so that KDC will issue service ticket using AES enctypes.

Update OS information.  This requires computer object update rights...

Update OS information succeeded

Update Encryption Types

Setting machine password...

Setting get init cred callback before set password (rc=0).

Password change succeeded

Samba interoperability is disabled in centrifydc.conf: Skipped synchronizing machine password with Samba

Save kerberos join data...

Using Win 2003 key version 5

Writing kerberos keytab

Updating settings files

Join to domain:ad.com, zone:Auto Zone successful

Starting daemon

 

Centrify DirectControl started.

Waiting for adclient to startup ......

Adclient startup completed!

Loading domains and trusts information

 

Initializing cache

.

You have successfully joined the Active Directory domain: ad.com

in the Centrify DirectControl zone: Auto Zone

 

 

You may need to restart other services that rely upon PAM and NSS or simply

reboot the computer for proper operation.  Failure to do so may result in

login problems for AD users.

 

 

Removing directory '/var/centrifydc/previous'

[root@m2 ~]# /etc/init.d/centrify

centrifyda     centrifydc     centrify-kcm   centrify-sshd 

[root@m2 ~]# /etc/init.d/centrifyd

centrifyda  centrifydc 

[root@m2 ~]# /etc/init.d/centrifyd

centrifyda  centrifydc 

[root@m2 ~]# /etc/init.d/centrifydc status

Centrify DirectControl (pid 10185) is running...

Centrify Guru I
Posts: 1,784
Registered: ‎07-26-2012
#5 of 7 2,178

Re: Not able to login to my unix machine via AD id

[ Edited ]

@Saurabh37982,

 

My personal preference is not to use Deployment Manager and use tools like Chef or Puppet for Centrify client deployment. This eliminates unnecesary components or complexity.

 

Some final observations:

 

"when I installed agnet via DirectManager console then why it was not added to domain only on this server and how it was added to other server and I did not get any error during deployment steps"

 

That's because when you do step 4, you have to specify the checkbox "join active directory" in the wizard and provide an AD account.

 

[root@m2 ~]# /etc/init.d/centrifyd

centrifyda  centrifydc 

 

I noticed that you deployed our Audit client.  You have to remove it since this capability requires Enterprise Edition.

Remove with yum or rpm.  This added unnecessary configurations to your system.

 

R.P

 

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 4
Registered: ‎03-03-2017
#6 of 7 2,170

Re: Not able to login to my unix machine via AD id

@Robertson

 

Thanks a lot for your kind words and feedback. 

Can you please give me complete command to remove audit with yum. 

 

Thanks in advance. 

Centrify Guru I
Posts: 1,784
Registered: ‎07-26-2012
#7 of 7 2,168

Re: Not able to login to my unix machine via AD id

[ Edited ]

If using yum

$ sudo yum erase CentrifyDA

 

If using RPM

  1. Search the CentrifyDA RPM pacakge name
    $ sudo rpm -qa | grep CentrifyDA
    CentrifyDA-3.4.0-204.x86_64
  2. Erase the package
    $ sudo rpm -e CentrifyDA-3.4.0-204.x86_64

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: