Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

How to migrate from Centrify-enabled samba to stock samba and Centrify's Adbindproxy

11 April,19 at 11:51 AM

Support has helped multiple customers who are trying to meet the challenges posed by the badlock vulnerability in samba while also learning about how to move to Centrify's new adbindproxy component.  This article is based on our recent experience helping customers migrate in hopes it will help other customers who are seeking similar guidance.

 

The following information applies to Red Hat Linux. If you are using a different operating system, please recognize that some of the commands may differ somewhat.

 

Let’s log into a Linux machine that is joined to a Centrify zone and has Centrify-enabled samba on it. Once logged in, let’s check the shares on the machine by running smbclient at the command prompt.

1.png

After verifying the correct shares are listed, let’s backup the samba configuration file:

 

dzdo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

 

We’re now ready to uninstall the Centrify-enabled samba installation form the machine using the rpm command:

 

dzdo rpm –e CentrifyDC-samba   (This is case sensitive)

 

And then verify it was removed:

 

dzdo rpm –qa | grep –i Centrify

 

Ensure nothing for Centrify samba is listed. We’ll then want to remove any stock samba 3 installations. We will first search for them:

 

dzdo rpm –qa | grep samba

 

If any show up, we’ll then want to remove the packages with the yum command:

 

dzdo yum remove samba*

Enter a y to remove when prompted.

 

We’re now ready to install samba 4, again utilizing the yum command:

 

dzdo yum install samba4*

When prompted, enter a y to install.

 

We should then verify installation:

 

dzdo rpm –qa | grep samba

2.png

As long as the installation is listed, we are ready to move the backed up samba config file into place in order to utilize all of our previous samba settings:

 

dzdo cp /etc/samba/smb.conf.bak /etc/samba/smb.conf

 

 

You can check the date stamp to ensure the smb.conf file is the one we just copied into place.

If you’d like to verify the share files are still showing correctly, please run testparm at the command prompt. The shares should show.

3.png

We’re now ready to download and install Centrify’s adbindproxy. Please open a browser and navigate to www.centrify.com and then go to Support and then Download Center and use your Support Portal login to log into the site. Once logged in, please go to “Tools and Troubleshooting” and find “Integration with Samba”. It will then show a list of the different operating systems. Please select the TGZ button next to the line that matches your operating system and download the file.

4.png

4-1.png 

 

Once the download completes, please copy or move the file to the *nix machine. You can make a directory on the Linux machine where you’d like to untar the tgz file:

 

mkdir /tmp/adbindproxy

 

You can then navigate to the directory where the tgz file is located and untar it:

 

mv centrify-adbindproxy……..tgz /tmp/adbindproxy/

cd /etc/adbindproxy

tar –xvf centrify-adbindproxy…….tgz

5.png

We’ll then install adbindproxy with the rpm command:

 

dzdo rpm –Uvh centrify-adbindproxy…….rpm

6.png

After the installation is complete, we’ll want to run the configuration script for adbindproxy and we’ll mostly be taking the defaults in the script with a few exceptions:

 

dzdo /usr/share/centrifydc/bin/adbindproxy.pl

 

One of the prompts will ask if you want to join the machine to a zone, if it’s already joined, you can jess press enter. If you need to join it to a zone, you can enter the zone name here and press enter.

 

The next prompt you want to watch for is the one that says:

 

Please specify the stock samba winbind listen path(dir)if it is not in [/run/samba/winbindd]:

RHEL 6 often uses /var/run/samba/winbindd for its winbindd listen path so you’ll want to verify the winbindd path and change it here if necessary. If it uses the default path, you can just press enter.

 

You should just be able to take the defaults through the rest of the script but you may want to read them to verify they are correct before pressing enter.

After the script completes, the samba services, smbd, nmbd, winbindd and adbindd, will need to be restarted. Centrify has a built in command for restarting all four services so that they don’t have to be restarted one at a time. At the command prompt, please run:

 

dzdo service centrifydc-samba restart

 

You’ll be able to verify the services are starting OK at this point.

 

We’ll want to add this setting to chkconfig to ensure this command runs if the server is ever rebooted. We can do that by running the following command:

 

dzdo chkconfig --add centrifydc-samba

 

We then need to start this chkconfig process:

 

dzdo chkconfig centrifydc-samba

 

And then verify it started correctly for the run levels that are necessary:

 

dzdo chkconfig --list centrifydc-samba

 

We’re ready to verify the samba version installed:

 

smdb –V

7.png

We can also verify we see the Linux shares:

 

smbclient -L //localhost

8.png

And then connectivity to the shares:

 

smbclient //localhost/sharename

 

It will go to a prompt that looks like smb:\> where you can type in ls and the shares should be listed.

9.png

You may also want to go to a Windows machine and verify you can get to the shares from there. If you go to Windows Explorer and, in the address window, type in \\servername\sharename, you should see the contents of the share.

10.png

You’re all set. You are now running on stock samba with Centrify’s adbindproxy in place to help integrate samba with Centrify.

 

Centrify has some additional resources on this subject if you’re interested.

There’s a Samba Integration Guide that came with the adbindproxy download and can be found in the directory where we untarred the tgz file. You can also get this documentation from the Centrify website by going to:

 

https://docs.centrify.com/en/cs/suite2016/centrify-adbindproxy-guide.pdf

 

There is also a video that goes over the process step by step that you can view below.

 

  

There are also some knowledge-base articles that are helpful with this process. You can find them in the community section of the website. Links to these KBs are listed below.


Links:

https://centrify.force.com/support/Article/KB-6842-Overview-of-the-steps-to-upgrade-or-migrate-from-Centrify-enabled-Samba-to-stock-Samba-with-Centrify-Adbindproxy

https://centrify.force.com/support/Article/KB-6834-Additional-configuration-steps-for-deploying-Adbindproxy-on-RHEL-7

https://centrify.force.com/support/Article/KB-6731-Impact-of-Badlock-CVE-2016-0128-CVE-2016-2118-on-Centrify-Enabled-Samba

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.