Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

HOWTO: Manually install and join AD with the Centrify Express agent

11 April,19 at 11:49 AM

What:  A method for manual installation of the Centrify agent.

Why:  Because some of us just want to install the agent and get going with minimal Windows exposure and components being installed while using the OS native installer.

Estimated Duration:  Less than 5 minutes if you have what you'll need.

 

What you'll need to know and do prior to going to the UNIX/Linux system:

 

  1. Unix/Linux/Mac version and architecture - so you know what bits to download
    e.g. CentOS 64bit
  2. A way to copy files from your computer (if it's a Windows PC) to your Linux/Unix/Mac system 
    (e.g. WinSCP/pscp.exe)
  3. AD credentials that can join to the target OU.  This does not have to be a Domain Admin, just somebody that can join computers to the target OU. 
    e.g. Diana's username/password:  dwirth
  4. x.500 notation of where you're placing the computer object
    e.g. for the SubOU called  Servers under the Top OU Centrifyse, then the x.500 notation is "ou=servers,ou=centrifyse"
  5. The IP address of a DNS server authoritative to the AD DNS zone in nameserver line of /etc/resolv.conf 
    e.g. If the DNS authoritative for the AD zone is 192.168.81.10 then /etc/resolv.conf has a line like this
    nameserver 192.168.81.10
  6. Optional for SSO:  The IP address of the system registered on AD DNS (for SSO)
    e.g. if your system is named engcen5 with IP 192.168.81.25 and the AD DNS is centrifyimage.vms, the dig query for this A record should yield a response like this:
    1. dig engcen5.centrifyimage.vms
      
      ;; QUESTION SECTION:
      ;engcen5.centrifyimage.vms.     IN      A
      
      ;; ANSWER SECTION:
      engcen5.centrifyimage.vms. 1200 IN      A       192.168.81.25
  7. With the answer to #1, go here:
    http://www.centrify.com/express/free-active-directory-authentication-for-unix-linux.asp#agents
    and download the appropriate agent for your platform/architecture.
    E.g. for RHEL and derivatives as of this post, the file is http://www.centrify.com/express/download.asp?asset=centrify-suite-2014.1-rhel3-x86_64.tgz and copy then to your target Unix/Linux system.

 

Implementation steps:

  1. Unpack the bits:
    $ tar zxvf centrify-suite-2014.1-rhel3-x86_64.tgz 
    The only two files you should be concerned with should be adcheck- and centrifydc-;  the rest is just icing on the cake or commercial version bits.  Centrify always packs the bits with the native installer of the platfrom (E.g. RPM, DEB)
    e.g. adcheck-rhel3-x86_64 and centrifydc-5.2.1-rhel3-x86_64.rpm 
  2. Run adcheck  (fix anything you might have overlooked) - syntax:  adcheck-package
    ./adcheck-rhel3-x86_64 centrifyimage.vms
  3. Install the Centrify Agent
    $ sudo yum install centrifydc-5.2.1-rhel3-x86_64.rpm

     Note - this only puts the bits in place, the fact that the agent is in the system does not mean that it's active (you can confirm with the adinfo command) for this you need to join the domain and that's where most of the gathered information comes in play.

  4. Join the domain  (like the example above)
    sudo adjoin -w -c "ou=servers,ou=centrifyse" -V -u dwirth centrifyimage.vms

    This means, with elevation join in workstation (-w) mode, put the computer in /centrifyse/servers container OU (-c), do a verbose (-V) output, use dwirth's credentials (-u) and join the AD domain centrifyimage.vms.  The output of adinfo should change.

At this point you should be able to log in with any AD user to the system.  Workstation (express) mode means that anyone should be able to log in, and their Unix identity is generated for them.  There are ways to limit access leveraging SSH directives, access.conf and others.


Tools that are good to know:
adcheck - checks if all systems are a go to join a domain or to diagnose domain connectivity
adinfo - shows you what's up with the AD client
adjoin/adleave - joins, leaves AD domains
adquery (user | group) - shows you all unix-enabled AD users and groups

addns - to perform dynamic DNS updates

adsmb - a rudimentary SMB client provided by Centrify.

adcert - available in Express mode in some platforms, a PKI client for the Microsoft CA.

 

For a Centrify Command Line Cheat Sheet - Click here.

 

A video that shows you all this (6 minutes):

 

And that's it, a quick and dirty manual installation without the need of DirectManage bits on Windows or Centrify OpenSSH.

 

R.P

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.