Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[HOWTO] Orchestration Basics - Setting up your own Centrify repository for RHEL and derivatives

11 April,19 at 11:50 AM

Note (December 2017):

Commercial customers of Centrify have access to the Yum, APT and SuSe repositories hosted by Centrify.  The instructions are here https://www.centrify.com/support/customer-support-portal/repos/

This article has been left here for historical reasons.

 

Background

The foundation to many deployment or orchestration tools is to have private hosted repositories of source installation packages.  Centrify offers native packages for all the supported platforms.  In addition, Centrify also offers install.sh;  this script and the answer files can abstract the underlying package manager for UNIX, Linux or Mac systems.

 Install.sh - Benefits.jpg

 

This means that you can use an NFS Server, a Samba Server, a Web Server or your package manager in conjunction with the Centrify bits to deploy software easily across your enterprise. Alternatively, the Yellow-Dog Updater Modified (YUM) (and APT) provide a simple to set-up and robust package manager that can be used primarily with RedHat and derivative platforms.

 

Centrify Repo

For existing customers with Support Portal access,  Centrify offers Yum, APT and SuSe repos.  For instructions on how to set up, look here:  https://www.centrify.com/support/customer-support-portal/repos

 

Disclaimers

  • This article provides a "quick basic configuration";  in a true deployment you have to account for high-availability, replication, security, package integrity, supported platforms, supported versions, change control, etc. 
  • All names, logos and trademarks used in this articles correspond to their existing owners.

 

What is required?

  • A RHEL-based system with enough storage for the Centrify RPM packages for each platform (or just for the subset you need to support).
  • If using web as the delivery mechanism, the web server (Apache) has to be set and configured accordingly.

 

Example Diagram

repo model.png 

In my mock organization, there are different types of RHEL derivatives, including RedHatEnterprise, Fedora, Oracle, Scientific Linux, etc, all running on different architectures, including Intel/AMD (32 and 64 bit) ,  zLinux IBM s390, Itanium and IBM Power processors.   

 

Implementation Steps

 

Verify pre-requisites.  I'm planning to use http as the transport for my repo.

# Check if Apache is installed
$ sudo  yum list installed | grep httpd
httpd.x86_64            2.2.15-47.el6.centos
httpd-tools.x86_64      2.2.15-47.el6.centos

# If not present
$ sudo yum install httpd
$ sudo chckconfig httpd on
$ sudo service httpd start

Install the createrepo package

$ sudo yum install createrepo

Download the Centrify Bundle for the platforms to be supported.

Example data - In my mock organization,  I will be supporting the bits for 2014.1 and 2015.1.  This organization has a policy to only deploy maintenance releases.

 

  1. Go to the Centrify Customer Center and Navigate to the Downloads Section.
  2. Identity the bundle for 2015.1 and 2014.1:
    bundle.PNG
    The bundle is available in ISO or ZIP formats.
  3. Copy and unzip the bundle in a staging server.  Note that ALL the platforms are present.  We are only interested in the .TGZ files that contain the word "rhel" in the name.
    centrify-suite-2015.1-rhel4-i386.tgz      
    
  4. Gunzip and untar all those files (use tar xzvf [package].tgz).  You will see RPMs for all the software included.  Here's a description of all packages:
    CentrifyDA is the audit agent, only used with Enterprise Edition or Privilege Service.
    CentrifyDC is adclient; can be used in Express mode or Zone mode (licensed)
    CentrifyDC is absolutely the only package required in most scenarios. Any other package, and you're in the land of "you must know what you're doing"
    CentrifyDC-ldapproxy is the Centrified OpenLDAP Server - required to support filers or older apps over LDAP interfaces
    CentrifyDC-nis is another proxy.  It exists to support legacy  NIS scenarios.  Needless to say, this is a transitional package, using NIS is a bad idea and will lead to audit comments.
    CentrifyDC-openssh is our provided version of OpenSSH; since SSH has matured to provide PAM, GSSAPI and even Kerberos support, 80% of the time is not needed, however, if you have an older UNIX or are in a complex AD, this package can be your friend.

Example data - If we follow the example, there should be 5 RPM packages for each of the different architecture.  However, since there's variability on the s390 package releases, I ended up with 38 packages.

 

Tip: use the rpm -qpil command to inspect them.  You'll see that they are very well docummented.

 

Copy the Centrify RPMs to the target location and verify access

In my over-simplistic example, we'll piggy-back on the default website.

  1. Create a folder under /var/www/html
    $ sudo mkdir /var/www/html/centrify
  2. Copy the RPMs to the folder.
    $ cd /path/to/centrify/staging
    $ sudo mv * /var/www/html/centrify
  3. Set the proper permissions in the folder
    chmod -R ugo+rX /var/www/html/centrify
  4. Verify that the files are accessible via the web server (you may have to check the firewall settings)
    webworks.PNG

Create your Repository

  1. Use the createrepo command to create the repository
    $ sudo createrepo --database /var/www/html/centrify
  2. Update the repository database
    $ sudo createrepo --update /var/www/html/centrify
    Spawning worker 0 with 38 pkgs
    Workers Finished
    Gathering worker results 

Create your repository's configuration file
In this simple configuration, we ended-up with this file (centrify.repo):

[centrify]
name=centrify
baseurl=http://linux2.centrify.vms/centrify
enabled=1
gpgcheck=0

Note:  We are adding a keytab from a least privilege AD user that can only perform the join (or leave).  This will ensure that we don't need to put any passwords, keys or hashes in our provisioning script.  For more information on how to create the AD account and corresponding keytab, see this article.

 

Verify that your Repository is working

  1. Log in to a test system, copy or create the centrify.repo file in the /etc/yum.repos.d folder
    $ sudo cp /path/to/centrify.repo /etc/yum.repos.d/centrify.repo
  2. Checking package availability and Metadata
    $ sudo yum install centrifydc
    No package centrifydc available.
      * Maybe you meant: CentrifyDC
    # This verifies that our metadata is OK.
  3. More information about CentrifyDC (the base package) - output truncated.
    $ sudo yum info CentrifyDC
    Available Packages
    Name        : CentrifyDC
    Arch        : i386
    Version     : 5.2.3
    Release     : 429
    Size        : 25 M
    Repo        : centrify
    Summary     : Centrify DirectControl Agent
    URL         : http://www.centrify.com/
    License     : Copyright (C) 2004-2015 Centrify Corporation
    Description : RPM to install Centrify DirectControl on Linux x86 platforms.
    
    Name        : CentrifyDC
    Arch        : x86_64
    Version     : 5.2.3
    Release     : 429
    Size        : 34 M
    Repo        : centrify
    Summary     : Centrify DirectControl Agent
    URL         : http://www.centrify.com/
    License     : Copyright (C) 2004-2015 Centrify Corporation
    Description : RPM to install Centrify DirectControl on Linux x86_64 platforms.
    
    Note that I can see that the lastest version is available for two platforms that may apply to my system.
  4. Let's verify the integrity of dependencies (LDAP Proxy depends on DirectControl)
    $ repoquery --requires CentrifyDC-ldapproxy
    /bin/sh
    CentrifyDC CentrifyDC >= 5.2.3-000
    /bin/sh
    CentrifyDC CentrifyDC >= 5.2.3-000
  5. Let's install DirectControl
    $ sudo yum install CentrifyDC
    
    Resolving Dependencies
    --> Running transaction check
    ---> Package CentrifyDC.x86_64 0:5.2.3-429 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
     Package             Arch            Version            Repository         Size
    ================================================================================
    Installing:
     CentrifyDC          x86_64          5.2.3-429          centrify           34 M
    
    Transaction Summary
    ================================================================================
    Install       1 Package(s)
    
    Total download size: 34 M
    Installed size: 87 M
    Is this ok [y/N]:

 

Putting it All Together

Ultimately, there are 3 operations to onboard a Centrify system in AD.

  • Get the package and install it  [we should be good here]
  • Verify that the system is ready to join  (OS check, Perl, inspect DNS, check for communicaton with AD)
    [read below note #1]
  • Use the adjoin command to activate DirectControl and join AD.
    [read below note # 2]

Note # 1:  With YUM you have a reliable way to get the packages across for multiple RHEL derivatives;  however, your logic should include adcheck in the mix if you're not using an enterprise image.  Ideally you would always do QA and use supported platforms and have a standard DNS configuration that includes the ability to get an authoritative response from a Domain controller.  If that's the case, and there are no firewalls in-between, adjoin should just work.

 

Note # 2:  We have covered adjoin extensively; keep in mind that it is Kerberized and it won't require a password to work.   Its counterpart (adleave) will work the same way, and it's essential for cleanup and releasing of licenses (otherwise they will count for 45 days against your usage).

 

The ultimate automation script should contain just 3 lines:

  1. yum install CentrifyDC
  2. kinit to authenticate to authorized AD user
  3. adjoin

In my example: 

 

$ yum install CentrifyDC
$ env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit 
-kt /temp/ad-joiner.keytab ad-joiner
$ adjoin --zone Global --container "ou=servers,ou=centrifyse" 
--computerrole "PCI Systems" centrify.vms

 

Verification Video (5 minutes, 10 seconds)

 

 

Appendix:  Flipping the script - deprovisioning

 

In elastic environments, decommisioning a system  (or 'Terminating' in AWS lingo) has a Centrify implication;  it has to do with proper Active Directory hygiene and licensing purposes(*).  The proper way to leave the domain is to use the remove option of the adleave command.   Based on my example, If I wanted to leave the domain and uninstall Centrify here's the sequence:

  1. kinit to an account that is authorized to remove the computer from the domain
  2. use the adleave -r command
  3. optional:  use yum erase CentrifyDC

In my example:

 

$ env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit 
-kt /temp/ad-joiner.keytab ad-joiner
$ adleave --remove
$ yum erase CentrifyDC

 (*) If you don't use the "--remove" option with adleave, you are creating an orphaned object in the zone and a computer object that is disabled.  It takes 45 days for the Centrify consoles to consider this system as inactive;  inactive systems don't count against your Centrify license counts.  You can run the Analyze tool to find and clean orphaned and tombstoned objects.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.