11 April,19 at 11:50 AM
Background
Note: this is a companion article to the blog post titled: "[HOWTO] Orchestration Basics - Using a Puppet script to deploy Centrify and join Active Directory" - these posts are relatively identical, the only difference is the tool.
In the field, we often get inquiries on deployment, governance or orchestration frameworks. Common questions range from: how do I deploy the Centrify client? or How do I establish an approval flow for the Access Control model that you facilitate?
Sometimes we also hear these questions: We use Ansible | Bladelogic | Chef | Puppet in house, how would I go about deploying your product?
These are important questions, especially in the age of private/public clouds and elastic environments. Some of you are adopting frameworks like OpenStack, Amazon AWS or Microsoft Azure that underneath use these toolsets.
At Centrify we have invested heavily through the years to make sure that the products "just work". From a deployment perspective, we our messaging is consistent:
In other words, Centrify software is easier to use in these scenarios than what the typical IT Infrastructure lead may think.
Disclaimers and Acknowledgements
What is required?
Note: Although it's possible for you to follow this and put together a working prototype, I strongly-encourage that you really explore the concept of infrastructure as code.
Finally, By no means what's outlined here is ready for production. Check out the reading list below.
Example Diagram
Implementation Steps
Planning
The goal of this lab is to be able to deploy the Centrify bits in a RedHat, CentOS, Scientific or Oracle system in a consistent way. The 'core' process without checking for major dependencies or issues is to:
Building Blocks
Make the krb5.conf and service account keytab available to your infrastructure
In the original article, we piggy-backed on the Apache webserver as the transport for our repository. Now we're going to create another folder for utilities (utils for short) and copy the keytab and krb5.conf file.
Perform a basic installation of the ChefDK
Create and test your stand-alone Chef Recipe
# This stand-alone recipe will install the Centrify Agent on RHEL derivatives, # joins Active Directory and places the system in a Computer Role # Notes: This recipe is not idempotent (achieving this is up to you!) # Variables for my environment (see blog post) # domain is the most basic parameter to join Active Directory domain = 'centrify.vms' # in Zone Mode (licensed with UNIX identity and Access Control) the zone # parameter corresponds is where the system will be placed zone = 'Global' # OU is where your computer object will be placed in Active Directory # your ad-joiner account should be able to join systems to this container ou = 'ou=servers,ou=centrifyse' # A Computer role is one of the ways to group systems and define access # control. A system may be a member of multiple computer roles. # E.g. a LAMP system may be accessible by Web Admins, Developers and # DBAs with different access rights and privileges. crole = 'PCI Servers' # In a pre-requiste blog entry, I outlined how to create a YUM repository for # RHEL and derivatives. This means that you need a yum or apt repo with # the Centrify packages. Per Chef, the default action will be to install the package. package 'CentrifyDC' # Centrify's utilities are Kerberized, this means that they will use the current # user's Kerberos TGT to attempt the transaction against AD. However, in a # virgin system, there are no working krb5.conf files, therefore kinit won't know # how to find a KDC to authenticate against. This is why we need a krb5.conf # file from a working system (or that points to a reachable Domain Controller), # in the previous blog entry, we piggy-backed on an Apache Web server to serve those files. remote_file '/tmp/krb5.conf' do source 'http://linux2.centrify.vms/centrify/utils/krb5.conf' owner 'root' group 'root' mode '0644' action :create end # The keytab corresponds to a service account that has the minimal rights, in # this case, the rights to write a computer object in the designated container # (ou) needless to say, you need to treat this file with care and if posible, # remove when complete. remote_file '/tmp/ad-joiner.keytab' do source 'http://linux2.centrify.vms/centrify/utils/ad-joiner.keytab' owner 'root' group 'root' mode '0644' action :create end # In this command, we authenticate against AD with the keytab of our service # account. Note that we are using the usable krb5.conf file so kinit can reach # a KDC (domain controller). The end-result is that root (or sudo) user will # have a TGT and you don't need to put keys, hashes or passwords in your script. execute 'env' do command "env KRB5_CONFIG=/tmp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /tmp/ad-joiner.keytab ad-joiner" end # Finally we run adjoin. At this point we are using the variables from my # environment. Although in doing so, we broke the 'idempotent principles, I'm # certain that Chef experts will understand how to implement an independent cookbook execute 'adjoin' do command "/usr/sbin/adjoin -z #{zone} -c #{ou} -R \"#{crole}\" -V #{domain}" end
# Cleanup
execute 'kdestroy' do
command "env KRB5_CONFIG=/tmp/krb5.conf /usr/share/centrifydc/kerberos/bin/kdestroy"
end
file '/tmp/ad-joiner.keytab' do
action :delete
end
file '/tmp/krb5.conf' do
action :delete
end
$ sudo chef-apply install-centrifydc.rb Recipe: (chef-apply cookbook)::(chef-apply recipe) * yum_package[CentrifyDC] action install - install version 5.2.3-429 of package CentrifyDC * remote_file[/tmp/krb5.conf] action create - create new file /tmp/krb5.conf - update content in file /tmp/krb5.conf from none to 186d5f [truncated] * execute[kinit] action run - execute env KRB5_CONFIG=/tmp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /tmp/ad-joiner.keytab ad-joiner * execute[adjoin] action run - execute /usr/sbin/adjoin -z Global -c ou=servers,ou=UNIX -R "App Servers" -V centrify.vms
Verification Video
Adjustments
There are absolutely many improvements that can be made. Here are a few that come to mind (in no specific order):
Reading List
Although any capable IT admin is able to spend a few hours and make something like this work, my advice is to explore deeper the concepts around 'Infrastructure as Code'; I'm of the opinion that it's a game-changing paradigm. I recommend (still reading):
For a "remove-centrifydc" recipe, see the attachment.