Showing results for 
Search instead for 
Do you mean 

Through the DirectManage Express or DirectControl Express downloads you can quickly and easily join an 11.10 (oneiric) servers and desktops to Active Directory. Using either of these approaches an intelligent install script is used to install the DirectControl Express agent and join the system to Active Directory.

 

Many Ubuntu users however prefer to install software packages like Centrify DirectControl Express using the built in package managers like Software Center, Synaptic, Adept, Aptitude, apt-get or others.

 

Recently, Canonical has certified and published Centrify DirectControl Express in 11.10 Oneiric Partner Repository. This article will describe how to ensure that the partner repository is available and describe how to install DirectControl Express and join a system to Active Directory...

 

Read more...

Sumana_Centrify

Exploring your SSH Options with Centrify Express

by Centrify ‎03-23-2011 02:19 PM - edited ‎03-23-2011 02:33 PM

Exploring your SSH Options with Centrify Express 

 

While Centrify Express enables organizations to secure and manage their UNIX and Linux systems using the Active Directory tools currently deployed for their Windows systems, Centrify also recognizes that system administrators employ a variety of Linux and UNIX tools for day-to-day operations. In particular, IT managers rely heavily on remote access solutions, including open source tools and offerings from commercial providers, to access the systems they need to manage.

 

One such popular protocol for remote access is SSH (aka Secure Shell), which enables data to be exchanged using a secure channel between two systems.  SSH has become the de facto standard for administrators and users to securely access remote UNIX systems.

Centrify Express lets you leverage SSH in a number of ways.  Here are the various options available to you:

 

1. Use the SSH that comes with your underlying operating systems

 

Both Centrify Express and Centrify Suite fully support the use of “stock” SSH.  For a quick video on how to configure your systems that you have installed Centrify Express to use stock SSH, click here.  Centrify has thoroughly tested this option and fully supports customers using Centrify Express in conjunction with your underlying OS’s SSH.

 

2. Use a commercial vendor’s SSH solution

 

For commercial products from vendors such as Attachmate, Hummingbird and Tectia, Centrify provides application notes that explain how to configure those tools and DirectControl for silent authentication to remote systems. Application notes are available for:

 

3. Use Centrify-enabled OpenSSH


Based on customer feedback, Centrify also delivers Centrify-enabled OpenSSH as a SSH option that you can choose to utilize.  Centrify-enabled OpenSSH represents the latest and greatest version of OpenSSH that has been compiled with the standard OpenSSH distribution unmodified, but in the compile process we linked OpenSSH with the DirectControl Kerberos libraries to ensure that single sign-on works seamlessly as expected in an Active Directory environment.

 

Why did customers ask us to do this?  There are two main reasons:

 

First, customers have found some versions of OpenSSH that are installed on their various operating systems do not support Kerberos, or do not support it well out of the box.  Compare that to our Centrify-enabled OpenSSH that supports Kerberos SSO on all platforms.  It also supports GSS Key Exchange in order to simply establish trust between hosts, a feature which is not part of the standard OpenSSH distribution. Other technical advantages of Centrify-enabled OpenSSH include:  


  • The OpenSSH client and server are preconfigured to automatically support PAM and Kerberos.
  • There is no need for DNS-to-realm mapping because DirectControl knows the relationship between hosts and their SPNs.
  • There is no need for a .k5login file in the user's home directory since DirectControl can automatically map the UPN (User Principal Name) in the Kerberos ticket to the UNIX profile for the Active Directory username presented in the ticket.
  • DirectControl will accept connections to any of the computer's valid hostnames, either fully qualified or not, because all combinations are registered with Active Directory. This further reduces the dependency on accurate DNS entries to enable Kerberos to operate properly.
  • The installation process automatically updates the $PATH environment by adding /usr/share/centrifydc/bin for all users and /usr/share/centrifydc/sbin for administrators and super users, making direct access to OpenSSH possible.

Second, many customers told us that they are also looking for a consistent version of OpenSSH across their platforms and did not want to be in the business of maintaining OpenSSH.  For example, say you are running a mixed environment of Ubuntu 10.04, SUSE 11.2 and Fedora 13. That means you are running OpenSSH versions 5.3p1, 5.2p1 and 5.4p1 respectively, and some of these versions may not include the latest security enhancements and fixes.  Centrify allows you to have a consistent and more up-to-date versions of OpenSSH across your heterogeneous environment, that is also being continuously updated and fully supported by Centrify.

 

So based on these two business needs we deliver for you Centrify-enabled OpenSSH.  This is very analogous to why we deliver Centrify-enabled PuTTY.  The baseline PuTTY utility does not support Kerberos or GSS key-exchange. To enhance security and enable single sign-on with your Active Directory account, Centrify delivers a packaged and tested version of PuTTY that works seamlessly with UNIX and Linux systems that have been joined to Active Directory using the Centrify Suite or Centrify Express.

 

Please note that Centrify provides Centrify-enabled OpenSSH as a convenience to you, but if you want to use the SSH provided by the OS vendor, or use a commercial SSH vendor, Centrify Express fully supports that too.  Centrify-enabled OpenSSH is an option, not a requirement.

 

Please also note that when you install Centrify-enabled OpenSSH, it does NOT replace any OS-vendor supplied binaries. The installation process does edit system configuration files to allow the OS to see and use our OpenSSH, and before we do that we make a backup copy of the file so that we can put the system back the way it was if the user decides to remove Centrify software for some reason.

 

Centrify and OpenSSH FAQ


Here are some questions that you might have:

 

Q.  Am I forced to use the Centrify-enabled OpenSSH when I install Centrify Express?

 

A.  Nope, you can use the SSH that comes with the underlying OS or you can use a commercial SSH solution.  Your choice.

 

Q.  Does Centrify-enabled OpenSSH modify operating system binaries?

 

A.  No.  Centrify-enabled OpenSSH is non-invasive and is installed in its own separate location vis a vis the SSH that comes on your operating system.

 

Q.  Does your Quality Assurance (QA) department test all these options out?

 

A.  Yes. It would be a less of a strain if we supported just one option, but because different customers have different needs and we wanted to accommodate these different requirements, we gladly take on this little bit of extra burden to ensure customer satisfaction.

 

Q.  So which SSH option do you recommend?

 

A.  We recommend whichever one you want to use J.  We think choice is good.  If you feel the Centrify-enabled OpenSSH is a better choice for you in terms of getting an out-of-the-box AD integration experience and having a consistency across your platforms, go for it.  But our feelings won’t be hurt if you don’t use it.  Just use the Custom (C) option when you run install.sh installation program to simply install the DirectControl package by itself and not with Centrify-enabled OpenSSH.  If you think the choices are too confusing, or are not sure, then we recommend that you simply leverage the stock SSH that comes with your underlying OSes, which we fully support, and of course you can always later use our Centrify-enabled OpenSSH or a commercial version. 

To uninstall the Deployment Manager, complete the following steps:

 

  1. Click Start > Control Panel > Add or Remove Programs.
  2. Scroll to Centrify Deployment Manager versionNumber and click Remove.
  3. Click Yes to confirm removal when you see the message: Are you sure you want to remove Centrify Deployment Manager versionNumber from your computer?

Notes

 

Uninstalling the Deployment Manager MMC application does not remove the Microsoft SQL Server Compact Edition database that contains the machine and environment information gathered by the Deployment Manager. If you install a new version of the Deployment Manager, you will see the same machine and environment information as in the previous version.


On the other hand, if you want to install a new version of Deployment Manager without any exiting machine and environment data, or if you simply want to remove this information from your computer, you can delete the database, which is located at:

 

  • Pre-Vista operating systems: C:\Documents and Settings\Administrator\Application Data\Centrify\DeploymentManager\datastore.sdf
  • Vista and later operating systems: C:\Users\User\AppData\Roaming\Centrify\DeploymentManager\datastore.sdf 

You should also delete the contents of the Packages directory, which contains any software packages you downloaded for deployment.

Sumana_Centrify

How to: Uninstall Centrify DirectControl Express

by Centrify ‎03-10-2011 09:13 AM - edited ‎03-10-2011 09:16 AM

On most Centrify DirectControl-managed systems, you can remove the Centrify DirectControl Agent and related files by running the uninstall.sh script. The uninstall.sh script is installed by default in the /usr/share/centrifydc/bin directory on each Centrify DirectControl-managed system.

To remove Centrify DirectControl on a Linux, UNIX, or Mac OS X computer:

 

1) Log on to the computer where the Centrify DirectControl Agent is installed.

 

2) Run the uninstall.sh script. For example:

 

/bin/sh /usr/share/centrifydc/bin/uninstall.sh


The uninstall.sh script will detect whether the Centrify DirectControl Agent is currently installed on the local computer and will ask you whether you want to uninstall your current Centrify DirectControl installation.

 

3) To uninstall Centrify DirectControl, enter Y when prompted.

 

If you cannot locate or are unable to run the uninstall.sh script, you can use the appropriate command for the local operating

environment to remove the Centrify DirectControl Agent and related files. The following table summarizes the commands to use in different environments:


Red Hat Linu, SuSE Linux

 

Run the following command: rpm -e centrifydc

Debian Linux

 

Run the following command: dpkg -P centrifydc


Mac OS X

 

You must use the uninstall.sh script to remove Centrify DirectControl files on Macintosh computers.

 

After joining an Ubuntu system to your Active Directory domain using Centrify Express, you can set up a specific user as an administrator by adding their Active Directory user name to the local admin group. This short video walks you through the steps to add the name and test that it was done correctly.

 

 

This brief video shows you how to configure WinSCP for single sign-on to UNIX or Linux systems using Windows Active Directory credentials. Once the target UNIX or Linux system has been joined to Active Directory using Centrify Express, a free solution for Active Directory single sign-on to UNIX, Linux and Mac, you only need to change a few settings in WinSCP to enable transparent SSO to those systems.

 

Through the DirectManage Express or DirectControl Express downloads you can quickly and easily join a Ubuntu 10.04 LTS (Lucid) or 10.10 (Maverick) or 11.04 (Natty) servers and desktops to Active Directory. Using either of these approaches an intelligent install script is used to install the DirectControl Express agent and join the system to Active Directory.

 

 

Many Ubuntu users however prefer to install software packages like Centrify DirectControl Express using the built in package managers like Software Center, Synaptic, Adept, Aptitude, apt-get or others.

 

 

Recently, Canonical has certified and published Centrify DirectControl Express in both the 10.04 LTS Lucid, 10.10 Maverick and 11.04 Natty Partner Repositories. This article will describe how to ensure that the partner repository is available and describe how to install DirectControl Express and join a system to Active Directory...

 

Read more...

Corey

Public Class: Active Directory Fundamentals

by Centrify on ‎09-01-2010 01:28 PM - last edited on ‎01-15-2013 04:31 PM by Community Manager

Previously only available to Centrify customers, we are making this great course on Active Directory fundamentals available for free. 

 

Great for UNIX/Linux admins who just need a bit of help with the Active Directory basics, check it out and let us know what you think! (Don't worry, for you AD experts, we have created a UNIX/Linux Fundamentals course for you too!)

 

3i70148229A73070E2

Corey

Public Class: UNIX/Linux Fundamentals

by Centrify on ‎09-01-2010 01:20 PM - last edited on ‎01-15-2013 04:33 PM by Community Manager

Previously only available to Centrify customers, we are making this great course on UNIX/Linux fundamentals available for free. 

 

Great for Windows admins who just need a bit of help with the UNIX/Linux basics, check it out and let us know what you think! (Don't worry, for you UNIX/Linux experts, we have created an Active Directory Fundamentals course for you too!)

 

1i32F63DA17645E4C6

You can use Centrify's patent-pending Zone technology to tightly control who can access which systems. While Zones are a key tool in meeting IT security and compliance requirements, smaller organizations may not need them and may choose to join systems to Active Directory using Auto Zone mode. Centrify Express also joins systems to Active Directory using Auto Zone mode. This video explains the differences in the way UNIX profile information such as UIDs and GIDs are handled between the two modes.



Auto Zone Mode

  • UIDs, GIDs are auto-generated based on user’s SID and RID (Relative Identifier) 

In DirectControl Express, when an Active Directory user logs into a UNIX computer for the first time, DirectControl automatically creates a 31-bit Unix UID GID for any groups to which the user belongs. To create these GIDs and UIDs DirectControl creates a prefix from the last 9 bits of the user or group SID ( Security Identifier ) and combines it with the lower 22 bits of the user or group RID (relative identifier).

  • There is no storage of UIDs, GIDs in AD, hence they can’t be manipulated via ADUC.

Although DirectControl Express caches these UIDs and GIDs, they are not stored in Active Directory and consequently you cannot edit or change them in any way with Active directory Users and Computers (ADUC).  If the cache expires, DirectControl uses the same algorithm to create the same UID and GID the next time the user logs in so you are guaranteed consistent ownership for files and resources.  Note This is in contrast to fully-featured DirectControl which stores UIDs and GIDs in Active Directory.

  • No storage in AD means no multiple mapping of UIDS to single AD account.

In Auto zone mode, UIDs and GIDs are not stored in Active Directory hence you cannot have multiple unix profiles for the same AD user.

  • No migration of existing UIDs/GIDs and No granular delegation of permissions.

When using Centrify DirectControl Express, you have no access to the DirectControl Admin Console hence the above operations are not feasible.

  • Anyone can login with AD username/password, access control can only be done via pam.allow/pam.deny, so no centralization of who can login to what system.  

When you join a domain by connecting to Auto Zone, all AD users and groups defined in Active Directory for the forest automatically become valid users and groups on all the UNIX machine. In addition, all Active Directory users defined in a forest with a two-way, cross-forest trust relationship to the forest of the joined domain, are also valid users for the UNIX machine.

Although all users and groups have default access to all machines joined to Auto Zone, you may still control access to any particular machine by setting parameters, such as pam.deny.users/groups and pam.allow.users/groups, in the Centrify DirectControl configuration file.

Zone Mode

  • Unix information is stored in AD, you can auto-generate UIDs/GIDs.

When using a generally-featured version of DirectControl, you can perform a certain amount of configuration in the DirectControl Console, such as defining a zone, adding Active Directory users and groups to the zone. You can predefine the starting UID/GID number using the UID/GID Manager under the zone. Adding user or group under the zone automatically increments the UID and GID respectively.

  • Can map multiple Unix Profile under the zone to single AD Account

DirectControl admin console allows you to have multiple unix profiles for an AD user under the zone. This is useful when you want to segregate admin operations from regular user operations for the same AD user.

  • Allows importing of Unix account information from local configuration files such as /etc/passwd, /etc/group or from NIS

In many cases, you may already have UNIX account information defined in local configuration files (such as /etc/passwd and /etc/group) or in a networked identity store, such as NIS, NIS+, or LDAP, or in both. You can import that information and map it to Active Directory users and groups under the zone using the Import Wizard tools under the zone.

  • Segregate collections of Unix, Linux, and Mac systems

When using a generally-featured version of DirectControl, one of the most important aspects of managing UNIX, Linux, and Mac OS X systems through the DirectControl Administrator Console is the ability to organize computers and user’s access to those computers using zones.

A DirectControl zone is similar to an Active Directory organizational unit (OU) or NIS domain. Zones allow you to organize the computers in your organization in meaningful ways to simplify account and access management and the migration of information from existing sources to Active Directory.

 

How you use zones will depend primarily on the needs of your organization. In some organizations, a single default zone is sufficient. In other organizations, using multiple zones may be a necessity.

  • Granular access control via Zones, all centralized

For each zone you create, you have an ability to identify at least one user or group that can be delegated to perform all administrative tasks.

 

For example, if you have a Finance zone, you can create a Finance Admins group in Active Directory and then delegate All tasks to that group so that members of that group can manage the zone. Although you are not required to create or use a zone administrator group for every zone, assigning the management of each zone to a specific user or group simplifies the delegation of administrative tasks. If you choose to use a finer grain control, for example, allowing one group to only join computers to the domain and zone and another to only add and remove users, you should ensure the members of those groupsknow their restricted roles.

One of the most important prerequisites to successfully installing and joining the Centrify DirectControl agent on a UNIX, Linux or Mac system is to ensure that DNS is configured properly to allow communication between that system and your Active Directory domain controllers.This video shows you how to configure and test DNS yourself. It also includes information on what ports need to be open to enable communication through a firewall.

 

This video shows how quickly you can install DirectControl Express on a Linux system and join it to Active Directory.

 

Sumana_Centrify

How to: Install Centrify-Enabled Samba

by Centrify ‎06-22-2010 01:07 PM - edited ‎06-29-2010 09:43 PM

After joining a system to Active Directory using DirectControl, you can follow the steps in this video to install and configure Centrify's enhanced version of Samba.

 

The Centrify DirectControl package automatically installs Centrify's enhanced version of OpenSSH. However, you can configure the system to use stock SSH instead with the few simple steps demonstrated in this video.

 

 

If you need to diagnose problems on a system running the Centrify-enabled version of Samba, follow these steps to direct system activity to a log file for analysis.

 

 

The Centrify DirectControl agent can record activity to a log file for troubleshooting purposes. Watch this video see how to turn debugging on and off.