11 April,19 at 11:50 AM
The goal of this article is to set up the building-blocks to test Centrify Server Suite and Privilege Service in an AWS environment. This article is the foundation for several how to guides in development.
Audience: Technical leads looking to test capabilities in a lab environment.
Knowledge level: You must be familiar with AWS, Linux , Windows, TCP/IP, Domain Name System and with basic Centrify product capabilities.
Levels
Basic AWS Setup
The basic steps to set up an AWS Playground lab are:
Create an IAM User (optional)
Once you have this set-up, we can talk about some planning scenarios.
Planning to modify your Security Rules
Create an S3 Bucket
Official instructions here: http://docs.aws.amazon.com/AmazonS3/latest/UG/CreatingaBucket.html
Sanity Check # 1
At this point, you should have:
Active Directory in AWS
Active Directory in AWS (or other clouds) can be deployed in different ways. This all boils down to the connectivity between corporate and AWS. If there's a dedicated VPN, provided that DNS and Security rules are well-designed, you an either extend or duplicate your AD infrastructure in AWS.
For more information: http://docs.aws.amazon.com/quickstart/latest/active-directory-ds/architecture.html
This article is not concerned with that. If you are doing a lab, most likely you'll be using the scenario where AD is run in AWS (hosted by you in EC2 instances) or hosted by AWS (SimpleAD or AWS Directory Service).
1. Setting-up Active Directory in AWS
Hosting your own Active Directory Domain Controller in an AWS EC2 Instance
There are many resources like the official recipe from Amazon here: http://docs.aws.amazon.com/quickstart/latest/active-directory-ds/step1.html, however for a small lab, I recommend that you have the following:
For setup, you can can reuse the instructions from the Microsoft Test Lab Guides to onboard a DC1 and APP1 servers.
2. Configuring Microsoft DNS with a Forwarder
If you are managing your own DC running Microsoft DNS, as a measure, you may want to add the Amazon-provided DNS servers as forwarders. This will ensure public name resolution to AD clients.
On your DC, in an administrative powershell, run this command:
Set-DnsServerForwarder -IPAddress "w.x.y.z" -PassThru
Where w.x.y.z is your Amazon-provided DNS server IP address.
Using an Amazon-hosted option
Simple AD: http://docs.aws.amazon.com/directoryservice/latest/admin-guide/cloud_setup_tutorial.html
Active Directory: http://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_directory.html
Note that whether you set up your own, or are using a hosted option, you should have the domain name, IP address(es) for the domain controller(s) and an admin credential. The addresses are needed for the next step, and the credential is needed to manage AD with tools like AD Users and Groups.
3. Modify DHCP Option Sets to align with your new DNS
Without properly functioning DNS, there is no Active Directory functionality. DHCP option sets in AWS make your life very easy and you don't need to add Route53 (AWS's DNS Service) complexity.
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose DHCP Options Sets.
Select Create DHCP Options Sets.
Add the options for your domain name and DNS Servers (your DC and the Amazon-provided DNS). In the name tag, provide a descriptive name, domain name servers, type the IP address of the DC(s) and an Amazon-provided DNS, and the AD domain name in the domain name.
In the navigation pane, choose Your VPCs.
Select the VPC(s) for your lab, and select Edit DHCP Options Set from the Actions list.
In the DHCP Options Set list, select the set you created from the list, and then choose Save
Sanity Check # 2
At this point, you should have:
Centrify Standard Edition Lab Setup - Member Server
The member server will be running the Active Directory and Centrify tools. In addition, we can use the server as a Centrify Connector and DirectAudit Infrastructure. This post will focus on AD and Centrify tools:
Add Windows Features
Add-Computer -DomainName domain.name -Credential administrator@domain.nameProvide the credentials and reboot.
Add-WindowsFeature GPMC, RSAT-DNS-Server, RSAT-ADDS
Install Centrify Standard Edition Tools
Initialize Centrify Standard Edition
Initializing Access Manager, has deployed the Centrify recommended OU structure. This is where the objects will reside for Centrify-related data.
For more information about this OU structure, check out @Fabrice's article here:
http://community.centrify.com/t5/TechBlog/Best-practice-Active-Directory-OU-structure/ba-p/21470
At this point you should have the base configuration to perform the Standard Edition labs.
Sanity Check # 3
At this point, you should:
Set-up a Cast of Characters and Implement a basic Access and Privilege Model
Users, Groups and Roles
Groups
Sample User Creation Script
Write-Host "Creating Users..." -ForegroundColor red -BackgroundColor white $ou = New-ADOrganizationalUnit -Name AWSDemo -Path "dc=example,dc=com" -ProtectedFromAccidentalDeletion $false $oupath = (Get-ADOrganizationalUnit -Filter 'Name -like "AWSDemo"').DistinguishedName $passwd = (ConvertTo-SecureString "AWSPlayGround2017!@" -AsPlainText -force) New-ADUser -Name "Lisa" -SamAccountName lisa -AccountPassword $passwd -Description "Linux Administrator" -ChangePasswordAtLogon $false -Path $oupath -Enabled $true New-ADUser -Name "Bart" -SamAccountName bart -AccountPassword $passwd -Description "Security Officer" -ChangePasswordAtLogon $false -Path $oupath -Enabled $true New-ADUser -Name "Maggie" -SamAccountName maggie -AccountPassword $passwd -Description "Windows Administrator" -ChangePasswordAtLogon $false -Path $oupath -Enabled $true New-ADUser -Name "Homer" -SamAccountName homer -AccountPassword $passwd -Description "Auditor (Cross-platform)" -ChangePasswordAtLogon $false -Path $oupath -Enabled $true New-ADGroup -Name "unix-users" -GroupCategory Security -GroupScope Global -Path $oupath Get-ADGroup unix-users | Add-ADGroupMember -Members Lisa, Bart, Maggie, Homer Write-Host "User creation completed." -ForegroundColor red -BackgroundColor white
This script creates our cast of AD users and a group inside the AWSDemo OU. Make sure you change the text in red to fit your environment.
Create and Configure a Centrify Zone
Our zone name will be AWS, and it will have a very simple set up. All users will be UNIX-enabled and there will be three roles: A UNIX Sysadmin role, a Windows Sysadmin role and a regular UNIX user role.
Zone Creation and User UNIX-enablement
$zone = New-CdmZone -Name AWS -Container "CN=Zones,OU=UNIX,DC=centrify,DC=vms" Write-Host "Unix-Enabling Users..." -ForegroundColor red -BackgroundColor white New-CdmUserProfile -Zone $zone –User lisa@example.com -login lisa -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}" New-CdmUserProfile -Zone $zone –User bart@example.com -login bart -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}" New-CdmUserProfile -Zone $zone –User maggie@example.com -login maggie -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}" New-CdmUserProfile -Zone $zone –User homer@example.com -login homer -UseAutoUid -AutoPrivateGroup –HomeDir "%{home}/%{user}" –Gecos "%{u:displayName}" –Shell "%{shell}" Write-Host "Unix-enabling complete." -ForegroundColor red -BackgroundColor white
This script creates the AWS zone and enables our users
UNIX and Windows Admin Roles + Assignments
$cmd1 = New-CdmCommandRight -Zone $zone -Name "Run any command as root" -Pattern "*" -MatchPath "*" -Authentication user $cmd2 = Get-CdmPamRight -Zone $zone -Name "login-all" $role1 = New-CdmRole -Zone $zone -Name "UNIX Sysadmin" -UnixSysRights login, ssologin, nondzsh, visible -HasRescueRight $true -AuditLevel possible Add-CdmCommandRight -Right $cmd1 -Role $role1 Add-CdmPamRight -Right $cmd2 -Role $role1 New-CdmRoleAssignment -Zone $zone -Role $role1 -TrusteeType ADUser -ADTrustee (Get-ADUser -Filter 'Name -like "lisa"') $desktop1 = New-CdmDesktopRight -Zone $zone -Name "Admin Desktop" -RunasSelfGroups "Builtin\Administrators" -RequirePassword $true $role2 = New-CdmRole -Zone $zone -Name "Windows Admin" -WinSysRights console, remote -AuditLevel possible Add-CdmDesktopRight -Role $role2 -Right $desktop1 New-CdmRoleAssignment -Zone $zone -Role $role2 -TrusteeType ADUser -ADTrustee (Get-ADUser -Filter 'Name -like "maggie"') New-CdmRoleAssignment -Zone $zone -Role (Get-CdmRole -Zone $zone -Name "UNIX Login") TrusteeType ADGroup -ADTrustee (Get-ADGroup -Filter 'Name -like "unix-users"')
This script creates the roles and assigns them to the proper users/groups
Install Centrify DirectControl and run adcheck
[centrify] name=centrify baseurl=https://username:password@repo.centrify.com/rpm-redhat/ enabled=1 repo_gpgcheck=1 gpgcheck=1 gpgkey=https://downloads.centrify.com/products/RPM-GPG-KEY-centrifymake sure you substitute the user/password with your own (this is in the repo page of the Download Center)
$ adcheck awsrealm.centrifying.net OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Warning : Computer name should not be localhost or : localhost.localdomain. You may edit /etc/hosts or your : DNS server to set your hostname correctly or you must : use the --name option when running adjoin. NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 172.31.26.75 : Pass DNSPROBE : Probe DNS server 172.31.38.176 : Warning : This DNS server does not respond to requests. This is a serious problem DNSCHECK : Analyze basic health of DNS servers : Warning : One or more DNS servers are dead or marginal. : Check the following IP addresses in /etc/resolv.conf. : : The following table lists the state of all configured : DNS servers. : 172.31.26.75 (ip-172-31-26-75.us-west-2.compute.internal): OK : 172.31.38.176 (unknown): dead : Only one good DNS server was found : You might be able to continue but it is likely that you : will have problems. : Add more good DNS servers into /etc/resolv.conf. WHATSSH : Is this an SSH that DirectControl works well with : Pass SSH : SSHD version and configuration : Pass DOMNAME : Check that the domain name is reasonable : Pass ADDC : Find domain controllers in DNS : Pass ADDNS : DNS lookup of DC dc1.awsrealm.centrifying.net : Pass ADPORT : Port scan of DC dc1.awsrealm.centrifying.net 172.31.26.75 : Pass ADDC : Check Domain Controllers : Pass ADDNS : DNS lookup of DC dc1.awsrealm.centrifying.net : Pass GCPORT : Port scan of GC dc1.awsrealm.centrifying.net 172.31.26.75 : Pass ADGC : Check Global Catalog servers : Pass DCUP : Check for operational DCs in awsrealm.centrifying.net : Pass SITEUP : Check DCs for awsrealm.centrifying.net in our site : Pass DNSSYM : Check DNS server symmetry : Pass ADSITE : Check that this machine's subnet is in a site known by AD : Pass GSITE : See if we think this is the correct site : Pass TIME : Check clock synchronization : Pass ADSYNC : Check domains all synchronized : Pass 3 warnings were encountered during check. We recommend checking these before proceeding
Make sure you correct any major errors outlined by adcheck. The key here will be name resolution and connectivity with your domain controllers; if you laid-out your security rules correctly and have DNS set to resolve AD records, you should be fine.
Modify default AWS EC2 SSH Server Settings
By default, OpenSSH in AWS EC2 is not configured to allow password authentication. Although with Centrify the underlying authentication uses Kerberos to talk to DCs, ultimately the user must be allowed to type their password in an SSH session.
Join your EC2 Linux instance to Active Directory Manually
$ sudo adjoin -z AWS -c "ou=servers,ou=centrify" -n demo3 -u admin awsrealm.centrifying.net admin@AWSREALM.CENTRIFYING.NET's password: Using domain controller: dc1.awsrealm.centrifying.net writable=true Join to domain:awsrealm.centrifying.net, zone:AWS successful Centrify DirectControl started. Initializing cache . You have successfully joined the Active Directory domain: awsrealm.centrifying.net in the Centrify DirectControl zone: CN=AWS,CN=Zones,OU=Centrify,DC=awsrealm,DC=centrifying,DC=net You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation. Failure to do so may result in login problems for AD users.
Verify your UNIX Access and Privilege model
login as: lisa Server refused our key lisa@172.31.44.61's password: Created home directory __| __|_ ) _| ( / Amazon Linux AMI ___|\___|___| https://aws.amazon.com/amazon-linux-ami/2017.03-release-notes/ 2 package(s) needed for security, out of 2 available Run "sudo yum update" to apply all updates.
$ dzinfo --role User: lisa Forced into restricted environment: No Centrify MFA Service authentication: Supported Role Name Avail Restricted Env --------------- ----- -------------- UNIX Yes None Sysadmin/AWS
Now you can logout Lisa.
login as: homer Created home directory $ dzinfo --roles User: homer Forced into restricted environment: No Centrify MFA Service authentication: Supported Role Name Avail Restricted Env --------------- ----- -------------- UNIX Login/AWS Yes NoneNote the different role for Homer.
Join your EC2 Windows member to the Centrify Zone
Grant your test users remote desktop access
Install the Centrify Agent for Windows
Verify your Windows Access and Privilege model
Sanity Check # 4
At this point you should have
MILESTONE: Now you have a system that you can use for sanity checks and to generate some of the tools required for the Standard Edition AWS labs. This is the state of your lab:
Privilege Service Lab Setup - Centrify Tenant and Connector
Obtain a Privilege Service Tenant
Configure Resource Subnet Mapping
This step is very important, especially if you're using the Privilege Service tenant in other environments like local VMs.
Sanity Check # 5
At this point, you should:
MILESTONE: You should be ready to perform the AWS Privilege Service Labs, and this should be the state of your lab.
Related Articles
Creating a Kerberos Keytab for DirectControl joins/unjoins:
http://community.centrify.com/t5/TechBlog/DevOps-Creating-a-Kerberos-Keytab-to-Automate-DirectControl/ba-p/27796
Using AWS OpsWorks (Chef 12) to deploy Centrify DirectControl on EC2 Linux instances: http://community.centrify.com/t5/TechBlog/Labs-Using-AWS-OpsWorks-Chef-12-to-deploy-Centrify-DirectControl/ba-p/27799