× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Centrify Express with Linux Mint?

Showing results for 
Search instead for 
Do you mean 
Reply
Participant III
Posts: 7
Registered: ‎04-05-2017
#1 of 4 1,179

Centrify Express with Linux Mint?

Hello,

 

Just a quick question. Are there are any people on here using Centrify Express with Linux Mint 17.x/18.x?

 

I would just like to get some confidence that it does work with this distribution before doing further work trying to make it work.

 

Thanks!

 

Paul.

Centrify Guru I
Posts: 1,870
Registered: ‎07-26-2012
#2 of 4 1,157

Re: Centrify Express with Linux Mint?

[ Edited ]

@PaulD16796,

 

Linux Mint 17/18 is in the supported platforms that we QA, otherwise we would not publish it in the list.

 

This is good practice, so here it is:

Version Check

$ cat /etc/linuxmint/info
RELEASE=18
CODENAME=sarah
EDITION="Cinnamon 64-bit"
DESCRIPTION="Linux Mint 18 Sarah"
DESKTOP=Gnome
TOOLKIT=GTK
NEW_FEATURES_URL=http://www.linuxmint.com/rel_sarah_cinnamon_whatsnew.php
RELEASE_NOTES_URL=http://www.linuxmint.com/rel_sarah_cinnamon.php
USER_GUIDE_URL=help:linuxmint
GRUB_TITLE=Linux Mint 18 Cinnamon 64-bit

 Installation - Checking the packages (I added the Centrify repo)

$ apt list --all-versions | grep centrifydc
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
centrifydc/stable 5.4.0-286 amd64
centrifydc/stable 5.3.1-411 amd64
centrifydc/stable 5.3.1-402 amd64
centrifydc/stable 5.3.0-220 amd64
centrifydc-curl/stable 5.4.0-286 amd64
centrifydc-ldapproxy/stable 5.4.0-286 amd64
centrifydc-ldapproxy/stable 5.3.1-411 amd64
centrifydc-ldapproxy/stable 5.3.1-402 amd64
centrifydc-ldapproxy/stable 5.3.0-220 amd64
centrifydc-nis/stable 5.4.0-286 amd64
centrifydc-nis/stable 5.3.1-411 amd64
centrifydc-nis/stable 5.3.1-402 amd64
centrifydc-nis/stable 5.3.0-220 amd64
centrifydc-openldap/stable 5.4.0-286 amd64
centrifydc-openssh/stable 7.3p1-5.4.0.284 amd64
centrifydc-openssh/stable 7.2p2-5.3.1.391 amd64
centrifydc-openssh/stable 7.1p1-5.3.0.208 amd64
centrifydc-openssl/stable 5.4.0-286 amd64
Installation - Setup
$ sudo apt-get install centrifydc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
centrifydc-curl centrifydc-openldap centrifydc-openssl
The following NEW packages will be installed:
centrifydc centrifydc-curl centrifydc-openldap centrifydc-openssl
0 upgraded, 4 newly installed, 0 to remove and 527 not upgraded.
Need to get 30.6 MB of archives.
After this operation, 80.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 https://repo.centrify.com/deb stable/main amd64 centrifydc-openssl amd64 5.4.0-286 [2,380 kB]
Get:2 https://repo.centrify.com/deb stable/main amd64 centrifydc-openldap amd64 5.4.0-286 [2,160 kB]
Get:3 https://repo.centrify.com/deb stable/main amd64 centrifydc-curl amd64 5.4.0-286 [336 kB]
Get:4 https://repo.centrify.com/deb stable/main amd64 centrifydc amd64 5.4.0-286 [25.7 MB]
Fetched 30.6 MB in 15s (2,036 kB/s)
Selecting previously unselected package centrifydc-openssl.
(Reading database ... 196079 files and directories currently installed.)
Preparing to unpack .../centrifydc-openssl_5.4.0-286_amd64.deb ...
Unpacking centrifydc-openssl (5.4.0-286) ...
Selecting previously unselected package centrifydc-openldap.
Preparing to unpack .../centrifydc-openldap_5.4.0-286_amd64.deb ...
Unpacking centrifydc-openldap (5.4.0-286) ...
Selecting previously unselected package centrifydc-curl.
Preparing to unpack .../centrifydc-curl_5.4.0-286_amd64.deb ...
Unpacking centrifydc-curl (5.4.0-286) ...
Selecting previously unselected package centrifydc.
Preparing to unpack .../centrifydc_5.4.0-286_amd64.deb ...
Unpacking centrifydc (5.4.0-286) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for systemd (229-4ubuntu4) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up centrifydc-openssl (5.4.0-286) ...
Setting up centrifydc-openldap (5.4.0-286) ...
Setting up centrifydc-curl (5.4.0-286) ...
Setting up centrifydc (5.4.0-286) ...

Configuration - Pre-flight checklist (config files)

# first, check the /etc/nsswitch.conf and /etc/pam.d have no entries or that Kerberos is not configured
$ cat /etc/pam.d/common-auth | grep centrify
$ cat /etc/nsswitch.conf | grep centrify
$ cat /etc/krb5.conf | grep centrify.vms
cat: /etc/krb5.conf: No such file or directory


Running adcheck to verify that all is well to join Active Directory

$ /usr/share/centrifydc/bin/adcheck centrify.vms
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PORTMAP : Verify that portmap or rpcbind is installed : Warning
: Could not install CentrifyDC-nis package.
: PORTMAP not installed. Please install required
: portmap or rpcbind package, which CentrifyDC-nis
: depends on
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting Samba installation : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
HOSTNAME : Verify hostname setting : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 127.0.1.1 : Pass
DNSCHECK : Analyze basic health of DNS servers : Warning
: Only one DNS server was found in /etc/resolv.conf.
: At least one backup DNS server is recommended for
: enterprise installations.
: Only one good DNS server was found
: You might be able to continue but it is likely that you
: will have problems.
: Add more good DNS servers into /etc/resolv.conf.
WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Warning
: You are running OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips 1 Mar 2016.
:
: This version of OpenSSH does not seem to be configured for PAM,
: ChallengeResponse and Kerberos/GSSAPI support.
: To get Active Directory users to successfully login,
: you need to configure your OpenSSH with the following options:
: (display the ones we identified were not set)
: ChallengeResponseAuthentication yes
: UsePAM Yes
:
: Centrify provides a version of OpenSSH that's configured properly
: to allow AD users to login and provides Kerberos GSSAPI support.
DOMNAME : Check that the domain name is reasonable : Pass
ADDC : Find domain controllers in DNS : Pass
ADDNS : DNS lookup of DC dc.centrify.vms : Pass
ADPORT : Port scan of DC dc.centrify.vms 192.168.81.10 : Pass
ADPORT : Port scan of DC dc.centrify.vms 192.168.184.130 : Pass
ADDC : Check Domain Controllers : Pass
ADDNS : DNS lookup of DC dc.centrify.vms : Pass
GCPORT : Port scan of GC dc.centrify.vms 192.168.81.10 : Pass
GCPORT : Port scan of GC dc.centrify.vms 192.168.184.130 : Pass
ADGC : Check Global Catalog servers : Pass
DCUP : Check for operational DCs in centrify.vms : Pass
SITEUP : Check DCs for centrify.vms in our site : Pass
DNSSYM : Check DNS server symmetry : Pass
ADSITE : Check that this machine's subnet is in a site known by AD : Pass
GSITE : See if we think this is the correct site : Pass
TIME : Check clock synchronization : Pass
ADSYNC : Check domains all synchronized : Pass
3 warnings were encountered during check. We recommend checking these before proceeding

# none of the warnings apply to me (no NIS package, any OpenSSH is fine,
and one DNS is fine - testing)

 

Configuration - Joining AD

# you must run the adjoin command with the workstation flag and have an authorized user that can join (diana).
# note that commercial customers (that get privilege management and more) usually join in zone mode.

 

$ sudo adjoin -w -u dwirth centrify.vms
dwirth@CENTRIFY.VMS's password:
Using domain controller: dc.centrify.vms writable=true
Join to domain:centrify.vms, zone:Auto Zone successful
Centrify DirectControl started.
Loading domains and trusts information
Initializing cache
.
You have successfully joined the Active Directory domain: centrify.vms
in the Centrify DirectControl zone: Auto Zone

You may need to restart other services that rely upon PAM and NSS or simply
reboot the computer for proper operation. 

 Verification - Config Files
Check to see if centrify has taken care of all the UNIX frameworks and Kerberos

$ cat /etc/pam.d/common-auth | grep centrify
auth sufficient pam_centrifydc.so
auth requisite pam_centrifydc.so deny
$ cat /etc/nsswitch.conf | grep centrify
passwd: centrifydc compat
group: centrifydc compat
shadow: centrifydc compat
$ cat /etc/krb5.conf | grep centrify.vms
dc.centrify.vms = CENTRIFY.VMS
.centrify.vms = CENTRIFY.VMS
centrify.vms = CENTRIFY.VMS
mint64.centrify.vms = CENTRIFY.VMS
kdc = dc.centrify.vms:88
master_kdc = dc.centrify.vms:88
kpasswd = dc.centrify.vms:464
kpasswd_server = dc.centrify.vms:464

 

Checking functionality
List AD users (simpsons only)

 $ adquery user | grep simpson
bart.simpson:x:1040191032:1040191032:Bart Simpson:/home/bart.simpson:/bin/bash
homer.simpson:x:1040191034:1040191034:Homer Simpson:/home/homer.simpson:/bin/bash
lisa.simpson:x:1040191030:1040191030:Lisa Simpson:/home/lisa.simpson:/bin/bash
maggie.simpson:x:1040191033:1040191033:Maggie Simpson:/home/maggie.simpson:/bin/bash
marge.simpson:x:1040191031:1040191031:Marge Simpson:/home/marge.simpson:/bin/bash

List AD groups (simpsons only)

$ adquery group | grep simpson
centrify-global-unixgroup-simpson:x:1040191043:dwirth,lisa.simpson centrify-global-mixed-pci-auditor:x:1040191041:homer.simpson centrify-global-unix-dbas:x:1040191040:lisa.simpson centrify-global-unix-sysadmins:x:1040191038:marge.simpson centrify-global-unix-webadmins:x:1040191039:bart.simpson centrify-global-windows-admins:x:1040191042:maggie.simpson ad-aws-ec2-users:x:1040191526:lisa.simpson

 Get more information about Bart

centrifying@mint64 ~ $ adquery user -A bart.simpson
unixname:bart.simpson
uid:1040191032
gid:1040191032
gecos:Bart Simpson
home:/home/bart.simpson
shell:/bin/bash
auditLevel:AuditIfPossible
isAlwaysPermitLogin:false
dn:CN=Bart Simpson,OU=Simpsons,OU=Staff,DC=centrify,DC=vms
samAccountName:bart.simpson
displayName:Bart Simpson
sid:S-1-5-21-3883016548-1611565816-1967702834-3640
canonicalName:centrify.vms/Staff/Simpsons/Bart Simpson
passwordHash:x
guid:3cd2b690-b24c-4d5c-a125-2e7733dea990
requireMfa:false
zoneEnabled:true
unixGroups:bart.simpson,centrify-global-unix-webadmins,domain_users
memberOf:centrify.vms/Centrify/User Roles/centrify-global-unix-webadmins,centrify.vms/Users/Domain Users

 Get more information about ad-aws-ec2-users

adquery group -A ad-aws-ec2-users -A
unixname:ad-aws-ec2-users
gid:1040191526
required:false
dn:CN=AD-AWS-EC2-Users,OU=Groups,OU=Staff,DC=centrify,DC=vms
groupType:global security
samAccountName:AD-AWS-EC2-Users
sid:S-1-5-21-3883016548-1611565816-1967702834-4134
canonicalName:centrify.vms/Staff/Groups/AD-AWS-EC2-Users
members:centrify.vms/Staff/Simpsons/Lisa Simpson
unixMembers:lisa.simpson

 Login using Switch User (bart)

$ su - bart.simpson
Password:
Password will expire in 41 days
Created home directory

Login Using SSH Client (lisa)

$ ssh lisa.simpson@mint64.centrify.vms
The authenticity of host 'mint64.centrify.vms (127.0.1.1)' can't be established.
ECDSA key fingerprint is SHA256:GRB+Bk2JTaLtynCMp67O2jHSlNoWSciMCuIBhFtHEMg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'mint64.centrify.vms' (ECDSA) to the list of known hosts.
lisa.simpson@mint64.centrify.vms's password:
Password will expire in 1 days
Created home directory
Welcome to Linux Mint 18 Sarah (GNU/Linux 4.4.0-21-generic x86_64)
* Documentation: https://www.linuxmint.com

 Login via GUI (after reboot, with Bart)

minty.png

 

I think this should cover it.  

My personal hunch is that there's something unorthodox in your system (configuration).

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 7
Registered: ‎04-05-2017
#3 of 4 1,155

Re: Centrify Express with Linux Mint?

Hi Roberston,

 

Thanks very much for that - gonna do some comparisons to how our systems look, and see how I get on.

 

We have made progress though. On the virtual machine test box (which is how I should have done things from day one), we can now log in with AD credentials, but its not perfect. At the login GUI, if we hit escape, followed by F1 to get a blank login box, we can type something like:

 

   domain.local\joe.s

 

And then successfully login. Somewhere, there is a place that is meant to prepend the domain name onto the username and either:

 

   1) It is just not doing it

 

   2) the domain information is missing, so it cannot do it

 

   3) there is an error in the domain information, which is what is causing the "incorrect username/password messages".

 

Anyway, I will go through what you sent and see if I can work it out - thanks!!

 

Paul.

Highlighted
Participant III
Posts: 7
Registered: ‎04-05-2017
#4 of 4 1,153

Re: Centrify Express with Linux Mint?

Okay, well, that was interesting. Did not know about that info file, I've always just looked at /etc/issue before, so thats a useful addition to my knowledge - thanks!

 

So, the main difference is that we are using the MATE desktop rather than Cinammon, but I cannot imagine that would make much of a difference.

 

I seem to remember that there is an auto option somewhere in the install script to do with the domain, and I do wonder if we said no, to that and set it manually, if that would make a difference.

 

Anyway, I am unfortunately on a wait state right now, because my domain adiministrator is not around, so I cannot do any more testing... Can anyone else here say "single point of failure" :-)

 

Cheers!

 

Paul.