What: A method for manual installation of the Centrify agent. Why: Because some of us just want to install the agent and get going with minimal Windows exposure and components being ins...
What: A method for manual installation of the Centrify agent.
Why: Because some of us just want to install the agent and get going with minimal Windows exposure and components being installed while using the OS native installer.
Estimated Duration: Less than 5 minutes if you have what you'll need.
What you'll need to know and do prior to going to the UNIX/Linux system:
Unix/Linux/Mac version and architecture - so you know what bits to download e.g. CentOS 64bit
A way to copy files from your computer (if it's a Windows PC) to your Linux/Unix/Mac system (e.g. WinSCP/pscp.exe)
AD credentials that can join to the target OU. This does not have to be a Domain Admin, just somebody that can join computers to the target OU. e.g. Diana's username/password: dwirth
x.500 notation of where you're placing the computer object e.g. for the SubOU called Servers under the Top OU Centrifyse, then the x.500 notation is "ou=servers,ou=centrifyse"
The IP address of a DNS server authoritative to the AD DNS zone in nameserver line of /etc/resolv.conf e.g. If the DNS authoritative for the AD zone is 192.168.81.10 then /etc/resolv.conf has a line like this
Optional for SSO: The IP address of the system registered on AD DNS (for SSO) e.g. if your system is named engcen5 with IP 192.168.81.25 and the AD DNS is centrifyimage.vms, the dig query for this A record should yield a response like this:
;; QUESTION SECTION:
;engcen5.centrifyimage.vms. IN A
;; ANSWER SECTION:
engcen5.centrifyimage.vms. 1200 IN A 192.168.81.25
The only two files you should be concerned with should be adcheck- and centrifydc-; the rest is just icing on the cake or commercial version bits. Centrify always packs the bits with the native installer of the platfrom (E.g. RPM, DEB) e.g. adcheck-rhel3-x86_64 and centrifydc-5.2.1-rhel3-x86_64.rpm
Run adcheck (fix anything you might have overlooked) - syntax: adcheck-package
Note - this only puts the bits in place, the fact that the agent is in the system does not mean that it's active (you can confirm with the adinfo command) for this you need to join the domain and that's where most of the gathered information comes in play.
This means, with elevationjoin in workstation (-w) mode, put the computer in /centrifyse/servers container OU (-c), do a verbose(-V) output, use dwirth's credentials (-u) and join the AD domain centrifyimage.vms. The output of adinfo should change.
At this point you should be able to log in with any AD user to the system. Workstation (express) mode means that anyone should be able to log in, and their Unix identity is generated for them. There are ways to limit access leveraging SSH directives, access.conf and others.
Tools that are good to know: adcheck - checks if all systems are a go to join a domain or to diagnose domain connectivity adinfo - shows you what's up with the AD client adjoin/adleave - joins, leaves AD domains adquery (user | group) - shows you all unix-enabled AD users and groups
addns - to perform dynamic DNS updates
adsmb - a rudimentary SMB client provided by Centrify.
adcert - available in Express mode in some platforms, a PKI client for the Microsoft CA.
For a Centrify Command Line Cheat Sheet - Click here.
A video that shows you all this (6 minutes):
And that's it, a quick and dirty manual installation without the need of DirectManage bits on Windows or Centrify OpenSSH.