Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8928: How to set-up Centrify in a Docker container

Authentication Service ,  

19 July,17 at 05:59 PM

Applies to: Centrify Direct Control 5.3.1 on all supported platforms

How to: 
How does one set up and intergrate Centrify Direct control with a Docker Container. 

Note:
Centrify is planning to write a formal white paper on this subject in the future.

The are 3 possible scenarios:
(1) Docker runs using the adclient running on the hosting host
(2) Docker runs with DirectControl (adclient) running inside the container 
(3) Docker runs with adclient running in another Docker container. (uncommon)

Please note that the configuration will be different in each scenario and we will only cover how to configure the first scenario.

Steps:
1. Install CentrifyDC on the hosting host, and adjoin to the domain. 
2. Install CentrifyDC inside the container so it has all the binaries (PAM, NSS library and utilities).
3. At host level, tar up all the "adjoin" configuration/data files:

tar -cvf join-data.tar /etc/centrifydc/ /etc/centrifyda/ /etc/pam.d/ /etc/nsswitch.conf

optionally also include

/etc/krb5.conf /etc/krb5.keytab ... for kerberized applications

4. Copy and expand the tar inside the docker container.
5. The run time data (/var/centrifydc) has to be shared between the host and the docker container. 
used to run Docker:

docker run -t -i -v /var/centrifydc:/var/centrifydc mycentos:working /bin/bash

Additonal shared directories (optional):

  • If you wish to audit session inside container you will also need to share /var/centrifyda.
  • Share /var/centrify as this is where adinfo will put output and where adclient put the certs and CA chain for auto-enrollment.
  • Share /tmp - this is where kerberos ticket cache (krb5cc_<uid>)will be stored for kerberized applications - for example, SSO. 

Note:
(1) Optionally, you may consider to share the 2 following directory through the "docker run -v" option as read-only, instead of packing them in the tar file.
/etc/centrifydc ... read only, directory
/etc/centrifyda ... read only, directory

(2) the following files we need as read only inside the container:
/etc/pam.d ... read only, directory
/etc/nsswitch.conf ... read only
/etc/krb5.keytab ... read only
/etc/krb5.conf ... read only
There is no option to share files, only directory. Given the containers will need their own /etc and have their own unique configurations, we prefer to pack them and replace them inside the container.

(3) /var/centrifydc (this cannot be read only).
it conains 2 Unix sockets used for all the client processes to talk to adclient.

(4) /var/centrifyda cannot be shared as read only
this is where the Unix socket resides for cdash to talk to dad daemon

 

Related Articles

 articleHOWTO: Secure container/docker environments by managing privileges for admins and users articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS article[Howto] - Securing Containers with the Centrify Identity Platform articleKB-11266: Enable DirectControl and DirectAudit functionalities inside a Docker Container articleDocker TechCenter articleKB-8929: Log into Docker container using AD user does not work article[HOWTO] Setup the Zone Provisioning Agent articleControlling docker access with Centrify Privilege Elevation articleKB-10559: Command adquery fails within Docker container