11 April,19 at 11:49 AM
Security Requirements
Tools
As always, we'll use the Plan-Do-Check-Adjust method
For a simple example, we'll consider the following planning steps:
Implementation (Do)
The implementation two kinds of steps:
Example Reference Design
This is an excerpt of my Amazon AWS infrastructure. We have an AD forest (corp.centrifying.net) with a Global Centrify zone and a computer role named Web Servers. Computer objects live under the corp.centrifying.net/Centrify/Servers OU. The access/privilege model has been created with two roles (SysAdmin and Web Admin). In this example, our service account (ad-joiner) must be able to add/move/change computer objects into the Servers OU; plus needs to be able to add computer accounts into the AD groups contained in the Computer Roles OU.
Preparing the Service Account (one-time)
$ dzdo /usr/sbin/adkeytab --adopt --user bootcamp.admin --samname ad-joiner --keytab ad-joiner.keytab -V "AD Joiner Service Account"- I used dzdo (as root) so the key table is owned by root
Tools for your Image (one-time for each template)
Kerberos configuration file and Keytab
Obtain a krb5.conf file from a working system in the same environment. This step is non-trivial in an elastic environment. The krb5.conf file to be used has to have entries for a single or a set of domain controllers that you expect to stick around otherwise, if you decommision the DCs, the automation scripts will break because you won't be able to get a Ticket-Granting-Ticket.
Centrify Bits
In this example, only the Centrify standard agent is installed. Installation does not mean "joined"
Utility Scripts (examples for this use case)
a) Renaming your system (not centrify-related, but relevant)
This depends on the platform and utilities that you have, should be part of your orchestration. In my case, in AWS the naming convention provides a hostname tied with the internal IP address (ip-12-34-56-78
). I am using the user data field of the image customization to rename the system to a combination of the prefix "aws" and the instance ID. This will keep the names within the 15 character legacy limitation.
#!/bin/bash # Initialize data and obtain information from AWS metadada DOMAIN=corp.centrifying.net INSTANCEID=`/usr/bin/curl http://169.254.169.254/latest/meta-data/instance-id && echo` HOSTNAME=`echo awscen-$INSTANCEID` IPV4=`/usr/bin/curl http://169.254.169.254/latest/meta-data/local-ipv4 && echo` # Modify hostname hostname $HOSTNAME echo $HOSTNAME > /etc/hostname # Change Settings in CentOS platform printf "NETWORKING=yes\nHOSTNAME=$INSTANCEID\nNOZEROCONF=yes\n" > /etc/sysconfig/network # Add fqdn to hosts file cat /etc/hosts # This file was modified by the user-data postscript 127.0.0.1 localhost $IPV4 $HOSTNAME.$DOMAIN $HOSTNAME EOF service network restart
b) Joining AD
The steps here are straightforward, the only unique steps is that we are obtaining a TGT for the ad-joiner account so the kerberized adjoin command can pick-up the credentials (hence the need of no passwords). In this particular case, we also add it to the Web Servers computer role, therefore this script is image-specific. This can be improved be improved.
#!/bin/bash
echo "Obtaining TGT ..." sleep 1 env KRB5_CONFIG=/centrify/scripts/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /centrify/scripts/ad-joiner.keytab ad-joiner sleep 1 echo "Joining the domain" adjoin -z Global -c "ou=servers,ou=centrify,ou=bootcamp" corp.centrifying.net sleep 10 echo "Joining the Web Servers Computer Role" sh adedit /centrify/scripts/add-member.tcl -d `adinfo -d` -n `adinfo -n` -r webservers sleep 2 echo "Flushing the Cache" /usr/sbin/adflush --force # Older versions of CDC required restart #/etc/init.d/centrifydc restart
echo "Destroying Kerberos Tickets"
/usr/share/centrifydc/kerberos/bin/kdestroy
echo "Complete."
c) adedit script
Important: As of release 2015.1 (5.2.3) of the UNIX agent, adjoin now supports the --computerrole parameter, this completely eliminates the step below.
Note that the script above makes a call-out to a TCL script and passes the domain name (-d output of adinfo -d), name of the system (-n output of adinfo -n), and the type of server (webservers). This script is obviously not optimized, but contains the basic functionality which is to bind to the domain, and use the add_user_to_group function to add the computer object to the target group. Note that the name is also static, so it's image-specific for Web Servers.
package require ade_lib proc usage {msg} { puts {usage: -d [-n ] [-r ]} puts $msg exit 1 } if {[getopt argv -d domain] == 0} { usage "You MUST kinit before this utility! Also, missing arguments (domain); eg. -d example.com -n system-01 -r webserver" } if {[getopt argv -n name] != 0} { if {[getopt argv -r role]} { bind $domain set shortname [string trimright $name $domain ]$ set rolegroup "centrify-global-unix-cr-$role" add_user_to_group $shortname\@$domain $rolegroup\@$domain puts Complete. }}
As a matter of fact, this is a modified version of one of the sample scripts included in the adedit guide.
c) Cleanup script
Just like the joining script, this one cleans up the AD objects (computer object, zone profile, etc); the expectation is that this script will be used when instances are being decommisioned.
#!/bin/bash echo "Obtaining TGT ..." sleep 1 env KRB5_CONFIG=/centrify/scripts/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /centrify/scripts/ad-joiner.keytab ad-joiner sleep 1 echo "Leaving the domain" adleave -r sleep 2 echo "Destroying Kerberos Tickets" /usr/share/centrifydc/kerberos/bin/kdestroy echo "Complete."
Checking the Results
(This is a 2-video 15 minute playlist)
Part 1 - Description of the Scenario (image launched)
Part 2 - Verification (you can jump to this one if you understand the scenario)
Adjusting
There's a lot of improvements to be made to this, starting with the scripts, perhaps they can have error handling and logic to be used in different image templates; Ultimately the key concepts with Centrify are the same:
- AD connectivity
- DNS settings on the UNIX/Linux hosts
- Obtain a TGT of the account with the proper rights
- Perform the operations required (add/moves/changes) with the Centrify tools
Remember there are multiple avenues for automation:
On UNIX & Linux: CLI tools, adedit
On Windows: Centrify PowerShell Modules and the DirectManage/Audit SDK