With Centrify Identity Service,TM Mac Edition, you can use Active Directory to centrally manage authentication, policy enforcement, single sign-on (SSO), and user self-service for popular endpoint devices running Mac OS X, iOS, and Android. A key component of Centrify Iden tity Service, Mac Edition is the Centrify agent for Mac OS X computers. Centrify’s Mac Solution. The biggest reason for the Centrify Mac Express product was to bring Mac user and system management up to par with what was already expected between AD and Windows. There are two different aspects at play here when we begin to discuss what that looks like: system management and user management. Sep 25, 2012 Centrify DirectControl Express for Smart Card is a free offering based on the same technology as the Centrify DirectControl for Mac OS X Smart Card Edition deployed today across federal, defense and first responder communities.
BackgroundAutomation and orchestration are key capabilities of the modern IT infrastructure. Whether organizations are using private or public clouds, tools like Bladelogic, System Center, Satellite, Chef, Casper, Puppet or homegrown scripts - software should be orchestration friendly.
Centrify Server Suite for UNIX, Linux, and Mac offers a facility that should be leveraged by any savvy IT infrastructure team. The tool is a script called install.sh.
This script is shipped with the gzipped tarball for Centrify software, for example, here are the listings for a RHEL-based system (excluding the release notes):
- adcheck-rhel4-x86_64
- centrifyda-3.2.3-rhel4-x86_64.rpm
- centrifydc-5.2.3-rhel4-x86_64.rpm
- centrifydc-install.cfg
- centrifydc-ldapproxy-5.2.3-rhel4-x86_64.rpm
- centrifydc-nis-5.2.3-rhel4-x86_64.rpm
- centrifydc-openssh-6.7p1-5.2.3-rhel4-x86_64.rpm
- centrify-suite.cfg
- install-express.sh -> install.sh
- install.sh
Note that all the installation bits are shipped in the native package manager or the platform, this gives the opportunity to the administrator to bypass install.sh and use the native installer. E.g. to install only the base agent, you can run
rpm -Ivh centrifydc-5.2.3-rhel4-x86_64.rpm
Many admins just simply add the RPMs to their repositories and can use facilities like yum to install or maintain the package.
Capabilities of install.sh
- Interactive install/join operations: walks the user through a series of menus and options
- Automatic with command options: can be run manually or by an orchestration facility for installations and joins.
- Automatic with an answer file: any of the .CFG answer files can be used with install.sh
- Kerberized: install.sh calls adjoin and other utilities that can benefit from Kerberos keytab preauthentication.
install.sh is a script; it acts as an abstraction layer between the package manager of the native OS and any other tool or manual script. This is very powerful because eliminates the nuances related to each operating system, architecture or distribution.
For example, some AIX systems use the installp facility, RHEL and derivatives use RPM, Debian derivatives like Ubuntu use dpkg, OS X systems use Install.app and so on; install.sh allows for the administrator to have a QA tested way to install Centrify software and perform additional tasks.
When preparing for a release, Centrify will QA install.sh against all the supported platforms.
Basic Automation Playbook
What you need:
a) The keytab for an AD user that can join systems (or remove them) to the target OUs
For more info on how to create this, click here.
b) A krb5.conf file for a working system
d) Install.sh (or the native package manager utility)
e) If not using install.sh, you'll need adjoin (or adleave)
Sample Command Sequences
Sample 1: In this sequence, we use an /temp/ad-joiner keytab with a /temp/krb5.conf and we'll use install.sh to install standard edition and join a zone called myzone in the acme.test domain in the 'My Servers' OU.
env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /temp/ad-joiner.keytab ad-joiner
./install.sh --std-suite --adjoin_opt='acme.test -z myzone -c acme.test/My Servers'
Sample 1: In this sequence, we use an /temp/ad-joiner keytab with a /temp/krb5.conf and we'll use install.sh to install standard edition and join a zone called myzone in the corp.contoso.com domain in the 'My Servers' OU.
env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /temp/ad-joiner.keytab ad-joiner
./install.sh --std-suite --adjoin_opt='corp.contoso.com -z myzone -c corp.contoso.com/My Servers'
Sample 2: In this sequence, we use an /temp/ad-joiner keytab with a /temp/krb5.conf and we'll use rpm to install the standard package and adjoin to join the Global zone in the corp.contoso.com domain and put the computer under the CentrifyServers OU.
env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /temp/ad-joiner.keytab ad-joiner
rpm -Ivh centrifydc-5.2.3-rhel4-x86_64.rpm
adjoin -z Global -c 'ou=servers,ou=centrify' corp.contoso.com
install.sh Help file
This script installs (upgrades/uninstalls) Centrify Suite.
Only the superuser can run this script.
Usage:
install.sh [-n|--ent-suite|--std-suite|--express] [-e] [-h] [-V] [-v ver] [-l log_file]
where:
-n Custom install/upgrade/uninstall in non-interactive mode.
--ent-suite Install Enterprise Suite in non-interactive mode.
--std-suite Install Standard Suite in non-interactive mode.
--express Install Centrify Express in non-interactive mode.
--bundle Install Centrify Suite using bundle.
--suite-config <config_file>
Override default suite config file with <config_file>.
-e Uninstall (erase) CentrifyDC.
-h, --help Print out this usage and then exit.
-V Print out installer version and then exit.
-v <ver> Install CentrifyDC <ver> version.
Format: x.x.x or x.x.x-xxx. x is number.
-l <log_file> Override default log-file PATH with <log_file>.
--rev <rev> Package OS revision to install.
--custom_rc Return meaningful exit code.
--override='<options>'
In non-interactive mode, override default options with <options> list.
Format: --override='CentrifyDC_openssh=n,CentrifyDA=R'
--adjoin_opt='<adjoin_options>'
Override default adjoin command line options with <adjoin_options>.
--enable-da In non-interactive mode, once joined to a domain,
enable DA for all shells.
--disable-da In non-interactive mode, disable DA NSS mode after install.
Examples:
./install.sh -n --override='INSTALL=R,CentrifyDC_nis=Y,CentrifyDC_openssh=N,CentrifyDA=N'
./install.sh --std-suite --adjoin_opt='acme.test -p pass$ -z t_zone -c acme.test/My Servers'
./install-bundle.sh --std-suite '--adjoin_opt='acme.test -p pass$ -z t_zone -c acme.test/My Servers'AD-bridging commands ('ad' commands)
adcheck - check OS, network and AD readiness for Centrify DirectControl
To check the system with domain (e.g. corp.contoso.com)
$ adcheck corp.contoso.com
To only perform OS checks
$ adcheck --test os
To only perform network-related tests
$ adcheck --test net corp.contoso.com
To only perform AD-related tests
$ adcheck --test ad corp.contoso.com
To check the system with a service domain controller (e.g. dc1)
$ adcheck --servername dc1 corp.contoso.com
To check connectivity only with DCs within the site
$ adcheck --siteonly corp.contoso.com
To check only on 3 (or n) DCs in a large domain
$ adcheck --bigdommain 3 corp.contoso.com
To check trust relationships (e.g. with hq.fabrikam.com)
$ adcheck --xdomain corp.contoso.com
To skip NTP checking (if you are not doing sync with AD DCs)
$ adcheck --skip-ntp corp.contoso.com
adinfo: provides information about the status of the agent
Looking-up Basic Information
To check the general status of the client
$ adinfo
To see the current domain controller the client is using
$ adinfo --server
To see the current domain the agent is joined to
$ adinfo --domain
To see the status (mode) of the agent (connected to ad or in offline mode)
$ adinfo --mode
To see the version of the installed client
$ adinfo --version
To see the corresponding Centrify Suite Version
$ adinfo --suite-version
To view Active Directory connectivity to the current domain
$ adinfo --test
To view the current Active Directory site
$ adinfo --site
To see the current joined Centrify zone
$ adinfo --zone
$ adinfo --zonedn (in distinguishedName format)
Advanced/Troubleshooting Information
DNS
To check for the 'joined-as' name (local host name and joined as name may be different)
$ adinfo --name
To check the status of the DNS cache and stats
$ adinfo --diag dns
Connectivity
To check connectivity with an AD domain
$ adinfo --test [domain.name]
To check network connectivity statistics
$ adinfo --sysinfo neststate
To test connectivity against a specific domain controller
$ adinfo --T --servername [domain.controller.name]
Active Directory
To see the current AD Global Catalog
$ adinfo --gc
To see the domain/forest map
$ adinfo --sysinfo domain
To see the status of the AD computer trust relationship
$ adinfo --sysinfo adagent
Testing a user's password
$ adinfo -A --user [username]
# this will prompt you for a password, the output is:
Password for user 'username' is correct/incorrect
Configuration
To parse the contents of the centrify.conf file
$ adinfo --config
To show the client's in memory configuration parameters
$ adinfo --sysinfo config
Kerberos
To view Kerberos information like supported encryption types, key version and registered SPNs
$ adinfo --computer
To view the updated Kerberos configuration in the local system
$ cat /etc/krb5.conf
To list the principals in the system's krb5.conf file
$ dzdo /usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5.keytab
To determine the encryption types of the system's cached ticket
$ dzdo /usr/share/centrifydc/kerberos/bin/klist -fe /etc/krb5.ccache
PKI
adcert - centrify Microsoft PKI client
To perform auto-enrollment of Computer PKI certificates (requires elegible template and communications)
Using the computer object to authenticate
$ dzdo /usr/share/centrifydc/sbin/adcert --enroll --machine
Using a user to authenticate
$ dzo /usr/share/centrifydc/sbin/adcert --enroll --user [ADusername]
Dynamic DNS
addns - a dynamic DNS client for AD DNS or RFC 2136-compliant servers
To renew DNS using machine credentials
$ sudo addns --update --machine
To renew DNS using user credentials
$ sudo addns --update --user [ADusername]
To renew DNS only on a specific interface (e.g. eth0)
$ sudo addns --update --machine --interface eth0
Querying Centrify-enabled AD Users and Groups
adquery: provides information about Active Directory users and groups that are UNIX-enabled by Centrify
To view all Centrify UNIX-enabled users
$ adquery user
will show all AD users in Express mode / Only authorized in Zone mode
To view all Centrify UNIX-enabled groups
$ adquery groupwill show all AD groups in Express mode / Only unix-enabled in Zone modeTo view a user's entry (UNIX passwd file style)
$ adquery user [username]
To view a group entry (UNIX group filestyle)
$ adquery group [groupname]
To view only the user or group's AD group memberships
$ adquery user [user] --adgroup
To view all information about a user or group (including AD object attributes)
$ adquery user|group [user or group] -A
To view the distinguishedName a user or group
$ adquery user|group [user or group] --dn
To view all information and include password expiration, account lockout/enabled state
$ sudo adquery user [user] -A
To view information about a computer
$ adquery user [computername]$ -A
To get results from cache (instead of fetching from AD)
$ adquery user|group [options] --cache-first
Centrify Cache Commands
adflush - clears the Centrify cache in the local computer (dc, gc, credential & dns)
To flush the authorization cache
$ dzdo adflush --auth
To rebind and force a new DC selection
$ dzdo adflush --bindings
To flush the DNS cache
$ dzdo adflush --dns
To expire the information from domain controllers and global catalogs
$ dzdo adflush --expire
To force complete removal/expiration even when disconnected (use carefully)
$ dzdo adflush --force
To refresh the krb5.conf file
$ dzdo adflush --trusts
To clear the health history
$ dzdo adflush --health
To clear the cloud connectors (in MFA scenarios)
$ dzdo adflush --connectors
Group Policy-related Commands
adgpupdate - triggers the group policy refresh interval
To refresh the GPOs in the system
$ adgpupdate
To refresh only computer GPOs
$ adgpupdate --target Computer
To refresh only user GPOs
$ adgpupdate --target User
adgpresult - to view a RSOP (resultant set of policy) to the local system or user
To view the report for computer and user
$ adgpresult
To view the report for the computer
$ adgpresult --computer
To view the report for the current
$ adgpresult --user
To view the report for a particular user
$ dzdo adgpresult --user [user.name]
Joining Active Directory
adjoin - joins an Active Directory domain
To run adjoin successfully, you need
> to be root or sudo
> to have the credentials (or the keytab) of an AD user that can join computers to a container (NOT Domain Admin)
> to know the Distinguished Name (e.g. 'ou=servers,ou=unix') of the container that you will place the system in AD
> to know the domain name you're joining
> to have a clear network path to the DC or DCs you're using (dns, global catalog, kerberos, ldap, cifs, ntp).
To join AD in workstation/express mode (AD user must be able to add computers to 'ou=workstations,ou=unix')
$ sudo adjoin --workstation --container 'ou=workstations,ou=unix' --user [AuthorizedADUser] --verbose [domain.name]
To join AD in Self-Service mode (AD/Centrify admin pre-created the machine ahead of time using AM or Centrify PS)
$ sudo adjoin --selfserve [domain.name]
To join AD in zone mode (e.g. Global zone)
$ sudo adjoin --zone Global --container 'ou=servers,ou=unix' --user [AuthorizedADUser] --verbose [domain.name]
To join AD in zone mode and don't initialize (precache)
$ sudo adjoin --noinit --zone Global --container 'ou=servers,ou=unix' --user [AuthorizedADUser] --verbose [domain.name]
To join AD and trust the Computer for Delegation (must know what you're doing - security implications)
$ sudo adjoin --trust Global --container 'ou=servers,ou=unix' --user [AuthorizedADUser] --verbose [domain.name]
To join AD in workstation mode and specify a workstation license
$ sudo adjoin --licensetype 'workstation'--workstation --container 'ou=workstations,ou=unix' --user [AuthorizedADUser] --verbose [domain.name]
To use an specific domain controller to join (e.g. dc1.hq.fabrikam.com)
$ sudo adjoin --server dc1.hq.fabrikam.com Global --container 'ou=servers,ou=unix' --user [AuthorizedADUser] --verbose [domain.name]
To join a Mac in Workstation mode and instruct Centrify to use the Apple algorighm to generate UID/GID scheme
Centrify Express For Mac
$ sudo adjoin --enableAppleIDGenScheme --container 'ou=macs,ou=unix' --user [AuthorizedADUser] --verbose [domain.name]
To join AD and provide a different 'AD name' than the local system name (e.g. adserver vs. localhost)
$ sudo adjoin --name adserver --container 'ou=servers,ou=unix' --user [AuthorizedADUser] --verbose [domain.name]
To join AD using keytab (kinit Authorized AD user keytab first, then run adjoin without the --user option)
$ env KRB5_CONFIG=[/path/to/krb5.conf] /usr/share/centrifydc/kerberos/bin/kinit -kt /path/to/keytab [principal]
$ sudo adjoin --zone Global --container 'ou=servers,ou=unix' --verbose [domain.name]
Leaving Active Directory
adleave - leaves an Active Directory domain
To run adleave succesfully, you neeed:
> sudo or root
> for online leave, authorized AD user credentials
Leave the domain and disable the computer object (orphan object left behind)
$ dzdo adleave --user [Authorized ADUsername]
Leave the domain and remove computer object (frees license)
$ dzdo adleave --user [Authorized ADUsername] --remove
Offline/forced leave (no AD connectivity required, must clean-up in AD)
$ dzdo adleave --force
Privilege Elevation ('dz' commands)
dzinfo - displays information of the user's access controls
To view self access (all)
$ dzinfo
To view the properties of the role(s), including effectiveness
$ dzinfo --roles
To view how you can access the system (PAM rights)
$ dzinfo --pam
To view the commands you can run
$ dzinfo --commands
To view the computer roles that apply to the system (requires elevation)
$ dzinfo --computer-role
To view authorization information about about another user (requires elevation)
$ dzdo dzinfo [user.name]
To test a command against the role
$ dzinfo --test [path/to/binary] [options]
Centrify-enhanced sudo
dzdo - centrify-enhanced sudo. Uses Centrify zone data in AD for commands, otherwise identical to sudo.
To view version information (as of 2015, based on sudo 1.8.10p3)
$ dzdo -V
Use man sudo or man dzdo for more.
DirectAudit Commands ('da' commands)
dainfo - shows information about the status of the audit agent
To view the audit agent status
$ dainfo
To view status with verbose output
$ dainfo --diag (or dadiag)
To view contents of the configuration file
$ dainfo --config
To view audited status of another user (must elevate)
$ dzdo dainfo --username lisa.simpson
dacontrol - controls the status/configuration of the directaudit client (requires elevation)
To set the installation (if not set by Group Policy)
$ dzdo dacontrol --installation [installation-name]
To check if the audit agent is enabled
$ dzdo dacontrol --query
To enable direct audit
$ dzdo dacontrol --enable
To disable direct audit
$ dzdo dacontrol --disable
What happens when adjoin is run succesfully?
This activates the DirectControl agent (adclient/CentrifyDC service).
1. Creates a computer object in AD and sets SPNs for http, host, nfs, cifs, afpserver
2. Establishes a secure communication channel between the system and Active Directory
3. A forest/domain/site map is created to locate the nearest DCs
4. The Kerberos environment (krb5.conf, krb5.keytab) are maintained by Centrify (configurable). A backup is created.
5. Network time is synchronized with AD DCs (configurable)
6. The PAM (Pluggable Authentication Modules) are modified to include Centrify auth, account, password, session modules. A back-up of the previous configuration is made.
7. The NSS (Name Service Switch) providers for users and groups defaults to AD first, then other methods (e.g. files, ldap, etc). A backup of the previous configuration is made.
Note: in the OS X platform, the PAM/NSS functions are channeled via the Directory Services Plugin API.
8. An Access Control Model is enforced depending on the zone mode:
- In zone mode: Authorization (RBAC) follows zone rules (defaults to closed, only authorized users can access and enabled groups are visible)
- In express/workstation mode: Only Authentication is facilitated. The system is open for all AD users and all groups are visible.
9. Privilege Elevation: Centrify-enhanced sudo (dzdo) becomes active based on the roles/rights defined.
10. User/Group identity (RFC2307) data in AD is stored within the Centrify zone, NOT with the user/group object.
11. The virtual registry is initialized and group policies are enforced.
What happens when adleave is run succesfully?
1. Online the --remove object: The object in AD is removed from the container and from the zone (frees license)
2. Online the without --remove object: The object in AD is marked as disabled. Must be ovewritten to rejoin.
2. Offline: The object in AD is left orphaned. Cleanup must happen via any Centrify API (AM, PowerShell, adedit)
3. The UNIX environment is reset and rolled back (Kerberos, PAM, NSS)
4. The Centrify adclient (CentrifyDC) service is disabled.
Important Files and Folders
/usr/share/centrifydc/
/bin > contains user binaries, including centrify-enhanced openldap tools like ldapsearch
/sbin > contains system binaries, including adcert and centrify-enhanced OpenSSH
/samples > sample files for hadoop, adedit and local account management
Note: on OS X El Capitan, things changed to /usr/local/share/centrifydc
/etc/centrifydc
/centrifydc > config files for the DirectControl agent
/centrifyda > config files for the DirectAudit agent
/centrifycc > config files for the Privilege Service CLI Toolkit for AAPM
/openldap > config files for Centrify-enhanced OpenLDAP proxy if installed
/ssh > config files for Centrify-enhanced OpenSSH
/var/centrifydc
kset* files > dynamic information about the environment
reg > virtual registry, contains the computer and user hives (user GPO disabled on Servers)
Centrify Express For Smart Card Mac
/var/centrifynet/certs > location of any Microsoft Certificate Authorithy auto-enrolled certs, keys and trust chain