Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[HOWTO] Enroll a Centrify Client for Linux and Enabling AgentAuth

Privileged Access Service ,  

28 September,20 at 10:01 PM

The recent addition of the Centrify Client for Linux provides organizations with a lightweight, high performance extension of the capabilities of Privileged Access Service (PAS). One of the main advantages is that organizations no longer need direct network connectivity to a directory source. Not to be confused with the Centrify Agent (adclient), the Centrify Client only needs to be able to reach PAS or the Centrify Connector to allow for brokered authentication.

Some of the main differences between the Centrify Client and the Centrify Agent are listed here:
https://docs.centrify.com/Content/Infrastructure/clients/clients-vs-agents.htm


In this demo, we will be installing a Centrify Client for Linux, enrolling a client to a tenant and setting up agentauth permissions.



Prerequisites

- Centrify Privileged Access Service tenant (SaaS or On-Premise)
- One of the following Linux distributions:
  • Amazon Linux
  • Red Hat Linux
  • CentOS Linux
  • Oracle Linux
  • SuSe Linux
  • Ubuntu Linux
  • CoreOS



Download and Install the package

Installing the Centrify Client for Linux package is very simple. Log in to the PAS admin portal and find the Downloads menu on the left. Look for the "Centrify Clients for Linux" section as shown below. Choose the ‘Download’ option and the current version of the client will get downloaded. The version of the client will be the same as the Connector version.

User-added image

Older versions of the Centrify Client for Linux can be found on the Centrify Download Portal

https://centrify.force.com/support/CentrifyDownload


After the package is copied to the client machine, the native OS package manager commands can be used. For example on a RedHat machine, the following command can be used:


# rpm -Uvh CentrifyCC-rhel6.x86_64.rpm


Installation typically takes less than a minute and something like the following should be seen to indicate success:


User-added image



Enrolling a Centrify Client to the tenant

Now that the package is installed, the client needs to be enrolled to the desired tenant. The cenroll command will be used. The most basic format of the cenroll command is the following:


# cenroll -t <tenant ID> -c <enrollment code> -F <Features> -V <verbose>


For example, if the tenant ID is AAU0937 and with an enrollment code generated from the tenant, along with the “agentauth” feature, the command will look like below:

# cenroll -t AAU0937.my.centrify.net -c  K08GFBSGKDOEKLXHTO2XWU2357QEXCROJTV_-YKNZVO1 -F agentauth -V


User-added image


*Note* There are a variety of methods that can be used to enroll a Centrify Client to your PAS portal, the example above is a very basic option. There are also many options to the cenroll command. The below link has more info on other cenroll methods:

https://docs.centrify.com/Content/Infrastructure/enroll/svr-mgr-computer-cenroll.htm


Running the cinfo command will verify that the client is enrolled and the service is running.


User-added image



When checking in the admin portal, you should see the enrolled system under "Resources > Systems" and when opening the system properties, you will see the version of the client software installed:


User-added image



To grant agentauth permissions to a user or group

In the system properties menu choose “Permissions” and click Add and select an Active Directory or Centrify Directory user:

User-added image




In the below example, the AD user, Tetsu.Ishii@ocean.net has been added and will automatically get “View” permissions. To allow for Tetsu to login to the machine, check the mark for “AgentAuth”


User-added image


Now that Tetsu has the minimum permissions required for login, he should see the system under ‘Resources > Systems’ when he logs into the admin portal.

Once logged in, Tetsu only needs to place a checkmark next to the system and choosing "Actions > Enter Account." Tetsu will get prompted for his AD username and password.


One thing to consider, is that an error may come up about having incorrect credentials. Tetsu has verified he is using the correct credentials and the same password works on other domain joined systems. Why is it not working when trying to login from the admin portal?

User-added image



If faced with this issue, please login to the machine as a root equivalent user and open the /etc/ssh/sshd_config file. In this file, please check the status of the following parameter, by default it is set to "No." Please change this to say “yes” and restart the sshd service.


User-added image


* Note* The Centrify Client for Linux does not ship an OpenSSH package.


Now that the SSH configuration has been adjusted, Tetsu should now be able to login from the admin portal, using his AD username and password. You will also notice that if Tetsu has MFA options setup, then he will get prompted for an MFA option.


User-added image


More info on setting up MFA on Centrify Client for Linux is explained here:

https://docs.centrify.com/Content/Infrastructure/enroll/Enabling-MFA-for-cloud-Linux-agent.htm



The Centrify Client for Linux also has other features such as Application to Application Password Management (AAPM) and Delegated Machine Credentials (DMC). These features can be enabled during the cenroll process. This client package is designed to take full advantage of the features of a PAS tenant and allows for automation in several different scenarios.





 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.