Tuesday, December 24, 2013

Lab # 7: Installing the Centrify agent and joining Active Directory

In this lab

  • We will install the Centrify agent in CEN1 using RPM and join Active Directory manually
  • We will install the Centrify agent in SUSE1 using install.sh in interactive mode and join Active Directory manually
  • We will install the Centrify agent and join Active Directory on SOL1 using install.sh in unattended mode.
  • We will use some of the tools and CLI commands including with the base agent.

 Install Centrify on CEN1 using RPM

  1. Log in to CLIENT1 with Jessie Matthews (UNIX administrator) account.
  2. Open PuTTY and connect to CEN1
  3. Go to the /temp folder (or where you copied the Centrify agent files)
  4. Decompress the tarball (elevate if necessary)
    tar xzvf centrify-suite-2013.3-rhel3-x86_64.tgz
  5. Use RPM to install the base agent centrifydc-5.1.2-rhel3-x86_64.rpm
    rpm - Uvh centrifydc-5.1.2-rhel3-x86_64.rpm
  6. To verify that Centrify is installed, run the adinfo command.  Notice the output
    $ adinfo
    not joined any domain
    Licensed Features: Enabled

    The last line means that the agent can see a valid license in AD.

Join CEN1 to Active Directory

Information
Domain to join:  corp.contoso.com
Place to put the computer account:  "OU=Servers,OU=UNIX"
Zone to join:  HQ
User account that can join systems to the target container:  jessie.matthews
Desirable command output:  verbose
  1. Type the following command (requires elevation if you're not root):
    sudo adjoin -z HQ -c "OU=Servers,OU=UNIX" -V -u jessie.matthews corp.contoso.com
  2. Type the sudo and Jessie's AD password when prompted.
  3. To verify that the computer has joined successfully, type the adinfo command:
    [centrifying@cen1 temp]$ adinfo
    Local host name:   cen1
    Joined to domain:  corp.contoso.com
    Joined as:         cen1.corp.contoso.com
    Pre-win2K name:    cen1
    Current DC:        dc1.corp.contoso.com
    Preferred site:    CorpHQ
    Zone:              corp.contoso.com/UNIX/Zones/HQ
    CentrifyDC mode:   connected
    Licensed Features: Enabled
  4. Exit the PuTTY session.

Install Centrify on SUSE1 using install.sh

  1. Open PuTTY and connect to SUSE1
  2. Go to the /temp folder (or where you copied the Centrify agent files)
  3. Decompress the tarball (elevate if necessary)
    tar xvfz centrify-suite-2013.3-suse9-x86_64.tgz
  4. Use the install.sh and in interactive mode, select a custom installation and accept the DirectControl Agent, select N for the rest of the options.
    How do you want to proceed? (E|S|X|C|Q) [E]:C
    Install the Centrify DirectControl 5.1.2 package? (Q|Y|N) [Y]:Y
  5. When presented with the confirmation option, select Y.
    You chose Centrify Suite Custom Edition and entered the following:
        Install CentrifyDC 5.1.2 package: Y
        Install CentrifyDC-nis 5.1.2 package: N
        Install CentrifyDC-openssh 5.1.2 package: N
        Install CentrifyDC-ldapproxy 5.1.2 package: N
        Install CentrifyDA 3.1.1 package: N
        Express authentication mode      : N
        Run adcheck                      : N
        Join an Active Directory domain  : N
If this information is correct and you want to proceed, type "Y".
To change any information, type "N" and enter new information.
Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:Y


To join SUSE1 to AD, follow the instructions outlined for CEN1.  Keep in mind that the adjoin command is in /usr/sbin in case you don't have it in your path.

Install the Agent and Join AD on SOL1 using an unattended installation

  1. Open PuTTY and connect to SOL1
  2. Go to the /temp folder (or where you copied the Centrify agent files)
    You may need to su to root or use Solaris roles to perform the following tasks.
  3. Run tar to decompress the tarball
    tar xvf  centrify-suite-2013.3-sol9-x86.tar
  4. Edit the following lines in the  centrifydc-install.cfg file.  Uncomment lines if necessary.
    ADJOIN="Y"
    DOMAIN="corp.contoso.com"
    USERID=jessie.matthews
    PASSWD=Jessie's or your user's password
    CONTAINER="OU=Servers,OU=UNIX"
    ZONE=HQ

    Comment the following line (add a # in front of it)
    #CentrifyDC_openssh=
    This is to stop Centrify OpenSSH from being installed with the base package.
  5. Save the file.
  6. Run install.sh in non-interactive mode
    ./install.sh -n
At this point the script will run adcheck and read the unattended file.  Some output:
Joining the Active Directory domain corp.contoso.com ...
Using domain controller: dc1.corp.contoso.com writable=true
Join to domain:corp.contoso.com, zone:HQ successful
Centrify DirectControl started.
Initializing cache
.
You have successfully joined the Active Directory domain: corp.contoso.com
in the Centrify DirectControl zone: CN=HQ,OU=Zones,OU=UNIX,DC=corp,DC=contoso,DC=com

Verify the objects in Active Directory

Open ADUC and expand the corp.contoso.com domain, expand UNIX, then Expand Servers.
  1. Verify that the two new computer objects are present  (refresh if necessary)
  2. Right-click the CEN1 computer object, select Properties and go to the Operating System tab.
Notice that the OS type and version exhibit the proper version.

Add each system to their corresponding computer group

  1. Open Access Manager and Navigate to the Zones/HQ/Authorization/Computer Roles node
  2. Expand Database Servers, right click Members and select Add Computer
  3. In the find box, type cen1;  click on cen1 from the results box and press OK.
  4. Expand Web Servers, right click Members and select Add Computer
  5. In the find box, type suse1;  click on suse1 from the results box and press OK

Now all the systems are joined in to AD and properly categorized, we are ready to start working with users and accessing systems.


Appendix

Installing Using a YUM Repository
http://centrifying.blogspot.com/2015/11/setting-up-simple-yum-repository-to.html
Installing Using a Simple Chef recipe
http://centrifying.blogspot.com/2015/11/deploy-centrify-and-join-active.html
Tools: Install.sh
http://centrifying.blogspot.com/2015/10/utilities-installsh.html

No comments:

Post a Comment