Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8942: What are the steps to migrate a RHEL Brightstore cluster to Centrify

Centrify DirectControl ,  

21 July,17 at 07:41 PM

Applies to:  
Centrify DirectControl Agent on Red Hat linux running a Brightstore cluster
 

Question: 

What are the steps to migrate a RHEL Brightstore cluster to Centrify

Answer: 

Installation on a headnode:
 
Once the tarball is downloaded from Centrify's website you need to uncompress it:
 

$ tar zxf centrify-suite-2017.1-rhel4-x86_64.tgz
 
The tarball contains a utility to verify that there are no problems, such as firewall or DNS issues. It is recommended that you run the utility and address any issues that it might detect:
$ ./adcheck-rhel3-x86_64 bright.corp
OSCHK    : Verify that this is a supported OS                          : Pass
PATCH    : Linux patch check                                           : Pass
PERL     : Verify perl is present and is a good version                : Pass
SAMBA    : Inspecting Samba installation                               : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass
HOSTNAME : Verify hostname setting                                     : Pass
NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
DNSPROBE : Probe DNS server 127.0.0.1                                  : Pass
DNSCHECK : Analyze basic health of DNS servers                         : Pass
WHATSSH  : Is this an SSH that DirectControl works well with           : Pass
SSH      : SSHD version and configuration                              : Pass
DOMNAME  : Check that the domain name is reasonable                    : Pass
ADDC     : Find domain controllers in DNS                              : Pass
ADDNS    : DNS lookup of DC bright-dc01.bright.corp                    : Pass
ADPORT   : Port scan of DC bright-dc01.bright.corp                     : Pass
ADDC     : Check Domain Controllers                                    : Pass
ADDNS    : DNS lookup of DC bright-dc01.bright.corp                    : Pass
GCPORT   : Port scan of GC bright-dc01.bright.corp                     : Pass
ADGC     : Check Global Catalog servers                                : Pass
DCUP     : Check for operational DCs in bright.corp                    : Pass
SITEUP   : Check DCs for bright.corp in our site                       : Pass
DNSSYM   : Check DNS server symmetry                                   : Pass
ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass
GSITE    : See if we think this is the correct site                    : Pass
TIME     : Check clock synchronization                                 : Pass
ADSYNC   : Check domains all synchronized                              : Pass
After that, you can start the installation by running install.sh. First, select the appropriate version of Centrify:
 
$ ./install.sh
 
*****                                                                 *****
*****             WELCOME to the Centrify Suite installer!            *****
*****                                                                 *****
 
Detecting local platform ...
 
With this script, you can perform the following tasks:
    - Install (update) Centrify Suite Enterprise Edition (License required) [E]
    - Install (update) Centrify Suite Standard Edition (License required) [S]
    - Install (update) Centrify Suite Express Edition [X]
    - Custom install (update) of individual packages [C]
 
You can type Q at any prompt to quit the installation and exit
the script without making any changes to your environment.
 
How do you want to proceed? (E|S|X|C|Q) [E]: E
After this, enter some basic information in order to be able to join the domain. When asked to reboot the system during the installation dialog, make sure that you answer "No".
Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:
 
Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:N
Join an Active Directory domain? (Q|Y|N) [Y]:
    Enter the Active Directory domain to join [company.com]: bright.corp
    Enter the Active Directory authorized user [administrator]: johndoe
    Enter the password for the Active Directory user:
    Enter the computer name [headnode]:
    Enter the container DN [Computers]:
    Enter the name of the domain controller [auto detect]:
Reboot the computer after installation? (Q|Y|N) [Y]:N
 
You chose Centrify Suite Express Edition and entered the following:
    Install CentrifyDC 5.2.0 package: Y
    Install CentrifyDC-nis 5.2.0 package: N
    Install CentrifyDC-openssh 5.1.4 package: Y
    Install CentrifyDC-ldapproxy 5.2.0 package: N
    Install CentrifyDA 3.2.1 package: N
    Run adcheck                      : N
    Join an Active Directory domain  : Y
    Active Directory domain to join  : bright.corp
    Active Directory authorized user : johndoe
    computer name                    : headnode
    container DN                     : Computers
    domain controller name           : auto detect
    Reboot computer                  : N
 
 
If this information is correct and you want to proceed, type "Y".
To change any information, type "N" and enter new information.
Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]
Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:
Joining the Active Directory domain bright.corp ...
Using domain controller: bright-dc01.bright.corp writable=true
Join to domain:bright.corp, zone:Auto Zone successful
 
Centrify DirectControl started.
Loading domains and trusts information
 
Initializing cache
.
You have successfully joined the Active Directory domain: bright.corp
in the Centrify DirectControl zone: Auto Zone
 
 
You may need to restart other services that rely upon PAM and NSS or simply
reboot the computer for proper operation.  Failure to do so may result in
login problems for AD users.

The install script will modify nsswitch.conf and the configuration of PAM, but it will not remove the entries related to LDAP. You will need to remove these entries manually. After your change, the configuration files should look like:
 
$cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       ldap                    Use LDAP (only if nss_ldap is installed)
#       nisplus or nis+         Use NIS+ (NIS version 3), unsupported
#       [NOTFOUND=return]       Stop searching if not found so far
#
 
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files ldap nis
#shadow:    db files ldap nis
#group:     db files ldap nis
 
passwd: centrifydc      files
shadow: centrifydc      files
group: centrifydc       files
 
#hosts:     db files ldap nis dns
hosts:      files dns
 
# Example - obey only what ldap tells us...
#services:  ldap [NOTFOUND=return] files
#networks:  ldap [NOTFOUND=return] files
#protocols: ldap [NOTFOUND=return] files
#rpc:       ldap [NOTFOUND=return] files
#ethers:    ldap [NOTFOUND=return] files
 
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  files
automount:  files
aliases:    files
$
$cat /etc/pam.d/system-auth
# lines inserted by Centrify Direct Control (CentrifyDC 5.2.0-218)
auth       sufficient     pam_centrifydc.so
auth       requisite      pam_centrifydc.so deny
account    sufficient     pam_centrifydc.so
account    requisite      pam_centrifydc.so deny
session    required       pam_centrifydc.so homedir
password   sufficient     pam_centrifydc.so try_first_pass
password   requisite      pam_centrifydc.so deny
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
$
 
$cat /etc/pam.d/password-auth
# lines inserted by Centrify Direct Control (CentrifyDC 5.2.0-218)
auth       sufficient     pam_centrifydc.so
auth       requisite      pam_centrifydc.so deny
account    sufficient     pam_centrifydc.so
account    requisite      pam_centrifydc.so deny
session    required       pam_centrifydc.so homedir
password   sufficient     pam_centrifydc.so try_first_pass
password   requisite      pam_centrifydc.so deny
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
$

User Portal authentication using Centrify
 
For the user portal you will need to modify the configuration of the PAM module for PHP:
$ cat /etc/pam.d/php
auth       sufficient   pam_centrifydc.so
account       sufficient   pam_centrifydc.so
$

Disable LDAP
$ cmsh
[headnode]% device use master
[headnode->device[headnode]]% services
[headnode->device[headnode]->services]% remove ldap
[headnode->device*[headnode*]->services*]% commit
$ chkconfig nslcd off
$ chkconfig ldap  off
Remove the LDAP healthcheck
$ cmsh
[headnode]% monitoring
[headnode->monitoring]% healthchecks
[headnode->monitoring->healthchecks]% use ldap
[headnode->monitoring->healthchecks[ldap]]% usedby
HealthCheck used by the following:
Type             Name             Parameter        Autochange
---------------- ---------------- ---------------- ------------
MonConf                           healthcheck      yes
[headnode->monitoring->healthchecks[ldap]]% remove
[headnode->monitoring->healthchecks*]% commit
Successfully removed 1 HealthChecks
Successfully committed 0 HealthChecks
[headnode->monitoring->healthchecks]%
Installing Centrify for the computing nodes
 
In order to install Centrify on the compute nodes, you will need to install Centrify on a running node, follwoing the same instructions as in the case of the headnode. Once the installation is complete, you will need to grab the software image using either CMSH or CMGUI:
 
e.g.

 
[root@kerndev ~]# cmsh
[kerndev]% device use node001
[kerndev->device[node001]]% grabimage -w
[kerndev->device[node001]]%
Mon Nov 24 12:15:45 2014 [notice] kerndev: Provisioning started: sending node001:/ to kerndev:/cm/images/openstack-image, mode GRAB, dry run = no
[kerndev->device[node001]]%
Mon Nov 24 12:15:59 2014 [notice] kerndev: Provisioning completed: sent node001:/ to kerndev:/cm/images/openstack-image, mode GRAB, dry run = no
grabimage -w [ COMPLETED ]
[kerndev->device[node001]]%
Exclude lists
 
You will also need to modify the exclude lists for the node's category, in order to prevent update/synchronization operations from altering Centrify's cache:

 
# cmsh;
% category use default
% set excludelistsyncinstall
(add the following line)
/var/centrifydc/*
/var/centrify/*
no-new-files: - /var/centrifydc/*
no-new-files: - /var/centrify/*
 
% set excludelistgrab
(add the following line)
- /var/centrifydc/*
- /var/centrify/*
   
% set excludelistgrabnew
(add the following line)
- /var/centrifydc/*
   
% set excludelistupdate
(add the following line)
/etc/krb5.*
/var/centrifydc/*
/var/centrify/*
no-new-files: - /var/centrifydc/*
no-new-files: - /var/centrify/*
 
% commit

SELinux
 
If you are using SELinux, then you may need to restore the SELinux context of the Kerberos key table file:
$ restorecon /etc/krb5.keytab



These steps can also be found in the attached PDF.

NOTE:
This infoirmation was obtained from the following NON-Centrify controlled site.
https://kb.brightcomputing.com/faq/index.php?action=artikel&cat=13&id=234&artlang=en


 
Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.