There have been many questions regarding the use and supportability of Centrify DirectControl on CoreOS (Container Linux). This article is a result of some of the most common questions that have been asked to Centrify Support.Question:
Why does Centrify's adclient not create a home directory?Answer:
Centrify will create a home directory in the hosting CoreOS outside of the containers, but cannot create a home directory inside the containers themselves. This is functionality that Centrify is working to improve, but in the meantime, there are two workarounds:
1) The home directory can be shared between the hosting CoreOS and the containers. There should be no problems with this since adclient is running in the hosting CoreOS and since the container is using adclient, the user/group namespace is consistent.
2) Inside each container, the pam_mkhomedir can be used to create its own home directory on first use.Question:
When inside a container and if the klist command is run, there is a "command not found" error and there is no kerberos ticket. Why does that happen?Answer:
Centrify currently only creates the kerberos ticket outside of the containers in /tmp. However, it is not advised to share this directory as CoreOS is intended to provide for independent containers. Having multiple containers compete for the same directory may cause unforseen issues. Right now it appears that sharing KCM (Kube Container Manager) would be the best solution for this. Also, the kerberos ticket is only needed for SSO operations and normal password logins are not affected by this. This is also a functionality that Centrify is working to improve.Question:
How do Centrify's perl scripts work, since there is no perl on CoreOS?Answer:
As part of the Centrify Infrastructure Services suite 19.6 (DirectControl version 5.6.0), Centrify now ships a compiled perl module in its package for CoreOS. Because of this, Centrify can now enforce group policies on CoreOS. For more information on this, see the following knowledgebase article:KB-19147: Cannot use Group Policy to install IWA root certificate in CoreOSQuestion:
Is it true that CoreOS does not support SELinux?Answer:
Older versions of CoreOS do not have support for SELinux, but as of the 808.0.0 release of CoreOS, SELinux has been implemented to enforce fine-grained permissions for applications. If SELinux is needed, please upgrade to CoreOS 808.0.0 or higher. The following command can be run on a CoreOS machine to see what version is installed:$ cat /etc/os-releaseQuestion:
Is Centrify's DirectAudit package supported in CoreOS?Answer:
Yes, DirectAudit is supported in CoreOS and in the containers. The cdash process talks to the directaudit daemon (dad) running in the hosting CoreOS.
Additional information about installing Centrify packages on CoreOS can be found in the Centrify Planning and Deployment Guide. (Attached to this article)