18 December,19 at 11:45 AM
Note (December 2017):
Commercial customers of Centrify have access to the Yum, APT and SuSe repositories hosted by Centrify. The instructions are here https://www.centrify.com/support/customer-support-portal/repos/
This article has been left here for historical reasons.
Background
The foundation to many deployment or orchestration tools is to have private hosted repositories of source installation packages. Centrify offers native packages for all the supported platforms. In addition, Centrify also offers install.sh; this script and the answer files can abstract the underlying package manager for UNIX, Linux or Mac systems.
This means that you can use an NFS Server, a Samba Server, a Web Server or your package manager in conjunction with the Centrify bits to deploy software easily across your enterprise. Alternatively, the Yellow-Dog Updater Modified (YUM) (and APT) provide a simple to set-up and robust package manager that can be used primarily with RedHat and derivative platforms.
Centrify Repo
For existing customers with Support Portal access, Centrify offers Yum, APT and SuSe repos. For instructions on how to set up, look here: https://www.centrify.com/support/customer-support-portal/repos
Disclaimers
What is required?
Example Diagram
In my mock organization, there are different types of RHEL derivatives, including RedHatEnterprise, Fedora, Oracle, Scientific Linux, etc, all running on different architectures, including Intel/AMD (32 and 64 bit) , zLinux IBM s390, Itanium and IBM Power processors.
Implementation Steps
Verify pre-requisites. I'm planning to use http as the transport for my repo.
# Check if Apache is installed $ sudo yum list installed | grep httpd httpd.x86_64 2.2.15-47.el6.centos httpd-tools.x86_64 2.2.15-47.el6.centos # If not present $ sudo yum install httpd $ sudo chckconfig httpd on $ sudo service httpd start
Install the createrepo package
$ sudo yum install createrepo
Download the Centrify Bundle for the platforms to be supported.
Example data - In my mock organization, I will be supporting the bits for 2014.1 and 2015.1. This organization has a policy to only deploy maintenance releases.
centrify-suite-2015.1-rhel4-i386.tgz
Example data - If we follow the example, there should be 5 RPM packages for each of the different architecture. However, since there's variability on the s390 package releases, I ended up with 38 packages.
Tip: use the rpm -qpil command to inspect them. You'll see that they are very well docummented.
Copy the Centrify RPMs to the target location and verify access
In my over-simplistic example, we'll piggy-back on the default website.
Create your Repository
$ sudo createrepo --database /var/www/html/centrify
$ sudo createrepo --update /var/www/html/centrify Spawning worker 0 with 38 pkgs Workers Finished Gathering worker results
Create your repository's configuration file
In this simple configuration, we ended-up with this file (centrify.repo):
[centrify] name=centrify baseurl=http://linux2.centrify.vms/centrify enabled=1 gpgcheck=0
Note: We are adding a keytab from a least privilege AD user that can only perform the join (or leave). This will ensure that we don't need to put any passwords, keys or hashes in our provisioning script. For more information on how to create the AD account and corresponding keytab, see this article.
Verify that your Repository is working
$ sudo yum install centrifydc No package centrifydc available. * Maybe you meant: CentrifyDC # This verifies that our metadata is OK.
$ sudo yum info CentrifyDC Available Packages Name : CentrifyDC Arch : i386 Version : 5.2.3 Release : 429 Size : 25 M Repo : centrify Summary : Centrify DirectControl Agent URL : http://www.centrify.com/ License : Copyright (C) 2004-2015 Centrify Corporation Description : RPM to install Centrify DirectControl on Linux x86 platforms. Name : CentrifyDC Arch : x86_64 Version : 5.2.3 Release : 429 Size : 34 M Repo : centrify Summary : Centrify DirectControl Agent URL : http://www.centrify.com/ License : Copyright (C) 2004-2015 Centrify Corporation Description : RPM to install Centrify DirectControl on Linux x86_64 platforms.Note that I can see that the lastest version is available for two platforms that may apply to my system.
$ repoquery --requires CentrifyDC-ldapproxy /bin/sh CentrifyDC CentrifyDC >= 5.2.3-000 /bin/sh CentrifyDC CentrifyDC >= 5.2.3-000
$ sudo yum install CentrifyDC Resolving Dependencies --> Running transaction check ---> Package CentrifyDC.x86_64 0:5.2.3-429 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: CentrifyDC x86_64 5.2.3-429 centrify 34 M Transaction Summary ================================================================================ Install 1 Package(s) Total download size: 34 M Installed size: 87 M Is this ok [y/N]:
Putting it All Together
Ultimately, there are 3 operations to onboard a Centrify system in AD.
Note # 1: With YUM you have a reliable way to get the packages across for multiple RHEL derivatives; however, your logic should include adcheck in the mix if you're not using an enterprise image. Ideally you would always do QA and use supported platforms and have a standard DNS configuration that includes the ability to get an authoritative response from a Domain controller. If that's the case, and there are no firewalls in-between, adjoin should just work.
Note # 2: We have covered adjoin extensively; keep in mind that it is Kerberized and it won't require a password to work. Its counterpart (adleave) will work the same way, and it's essential for cleanup and releasing of licenses (otherwise they will count for 45 days against your usage).
The ultimate automation script should contain just 3 lines:
In my example:
$ yum install CentrifyDC $ env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /temp/ad-joiner.keytab ad-joiner $ adjoin --zone Global --container "ou=servers,ou=centrifyse" --computerrole "PCI Systems" centrify.vms
Verification Video (5 minutes, 10 seconds)
Appendix: Flipping the script - deprovisioning
In elastic environments, decommisioning a system (or 'Terminating' in AWS lingo) has a Centrify implication; it has to do with proper Active Directory hygiene and licensing purposes(*). The proper way to leave the domain is to use the remove option of the adleave command. Based on my example, If I wanted to leave the domain and uninstall Centrify here's the sequence:
In my example:
$ env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /temp/ad-joiner.keytab ad-joiner $ adleave --remove $ yum erase CentrifyDC
(*) If you don't use the "--remove" option with adleave, you are creating an orphaned object in the zone and a computer object that is disabled. It takes 45 days for the Centrify consoles to consider this system as inactive; inactive systems don't count against your Centrify license counts. You can run the Analyze tool to find and clean orphaned and tombstoned objects.