Sunday, August 24, 2014

Using Kerberos keytabs and Centrify tools to automate UNIX/Linux/Mac AD domain joins or unjoins

The Problem

Dynamic environments expand and contract based on organizational needs; this means that Unix, Linux, Mac OS X servers and workstations are built and decommissioned frequently.  Most recently, public/private cloud elasticity accentuates this issue and having an access controls solution like may end-up adding unnecessary complexity if it's not designed for this reality.

When joining a computer to the domain, the computer name (hostname) may not be known to pre-create the AD account, therefore an an authoritative join is the only choice; the issue here is that an AD account that has the ability to join computers into the domain (OU) and into the Centrify zone is required.

Fortunately, Centrify designed the Server Suite solution tool set with this reality in mind.  In this post, we will discuss how to add or remove systems from AD securely leveraging Kerberos keytabs and tools like adjoin and adleave.  Like all small projects, we'll use the Plan-Do-Check-Adjust methodology.

  • Scripts should not store plain-text passwords
  • Tools must be automation-friendly
  • The least access and least privilege principles must be conserved
  • The Separation of Duties (SoD) principle must be met
  • Active Directory Users and Computers
  • Centrify CLI tools: adjoin, adleave, adkeytab
  • Kerberos tools:  kinit, kdestroy.


For a simple example, we'll consider the following planning steps:

  • Incorporate the Centrify agent bits into the infrastructure image, the agent can be installed and not joined.
  • An AD Service account with the ability to create, remove (or modify) computer objects to the target domain OU should be created.
  • That same AD service account should have the rights to join, remove and modify objects in the target Centrify zone.
  • A Kerberos keytab file needs to be created and securely put in a place where the script can use it.  Let's assume that the file will be securely copied to a local drive and deleted upon use.
    Note:  this is important, a Kerberos key table file needs to be to be treated with the same sensitivity as a private key.  They are not to be left behind on systems even if the account has been properly secured.
  • In addition to the keytab file, a krb5.conf file with the correct settings needs to be deployed to the unjoined system so the Kerberos tools can find a KDC (AD DC)
  • Naming conventions for the service account and the hostname need to be pre-established.  Keep in mind that computer account names have length limitations.
  • An AD OU for Unix/Linux or Mac computers is required to limit the scope of where the join account can perform joins.

Implementation (Do)

AD Join service account setup (1-time steps)
  1. Create the Active Directory service account by using ADUC.  Make sure that the account and its password do not expire.  In this example we'll use "ad-joiner" and the domain is
  2. In Active Directory users and computers, use the Delegate Control wizard to delegate the ability to create and delete computer objects.
  3. In the target Centrify zone, use the Delegate Zone Control wizard to give the service account the rights to join, remove and modify computers in the zone.
  4. In a Centrified system, use the adkeytab with the adopt option to create the Kerberos keytab file and randomize the password.  This will be performed with the root account so it is protected by that account.
    # /usr/sbin/adkeytab --adopt --user jerry.seinfeld--keytab ad-joiner.keytab  -V ad-joiner
    ADKeyTab version: CentrifyDC 5.1.3-482
    use machine ccache: no
    server: null
    user: dwirth
    container: null
    account: ad-joiner
    trust: no
    des: no
    jerry.seinfeld@CORP.CONTOSO.COM's password:
    Attempting bind to site:Demo-Site ccache:MEMORY:0x566940
    Bind successful to server dc.centrifyimage.vms
    Searching for AD Object: filter = (samAccountName=ad-joiner), root = DC=corp,DC=contoso,DC=com
    AD Object found: CN=ad-joiner,OU=Service Accounts,OU=Unix,DC=corp, DC=contoso,DC=com
    Key Version = 2
    Activating AD account: CN=ad-joiner,OU=Service Accounts,OU=Unix,DC=corp, DC=contoso,DC=com
    Account 'CN=ad-joiner,OU=Service Accounts,OU=Unix,DC=corp, DC=contoso,DC=com' All SPNs already present
    Adding managed account keys to configuration file: ad-joiner
    Changing account 'ad-joiner' password with user 'jerry.seinfeld@CORP.CONTOSO.COM' credentials.
    Searching for AD Object: filter = (samAccountName=AD-JOINER), root = DC=corp,DC=contoso,DC=com
    AD Object found: CN=ad-joiner,OU=Service Accounts,OU=Unix,DC=corp,DC=contoso,DC=com
    Key Version = 3
    Success: Adopt Account: ad-joiner
  5. Verify the keytab file with klist
    # /usr/share/centrifydc/kerberos/bin/klist -kt ad-joiner.keytab
    Keytab name: FILE:ad-joiner.keytab
    KVNO Timestamp         Principal
    ---- ----------------- ----------------------------------
    3 08/2414 22:22:55 ad-joiner1@CORP.CONTOSO.COM
    3 08/2414 22:22:55 ad-joiner1@CORP.CONTOSO.COM
    3 08/2414 22:22:55 ad-joiner1@CORP.CONTOSO.COM
    3 08/2414 22:22:55 ad-joiner1@CORP.CONTOSO.COM

Checking the Implementation (Do)

In order to verify that the keytab file works and can join or remove a system, you need an unjoined Unix, Linux or Mac system with the Centrify agent installed.
  1. Log into the system with a local account (that can elevate)
  2. Make the keytab file securely accessible.
  3. Copy the /etc/krb5.conf file from a working Centrified system to the local system:
    scp <account>@centrified.system:/etc/krb5.conf /etc/krb5.conf
  4. Use the kinit command with the kt option to get a ticket-granting-ticket as the ad-joiner account.
    /usr/share/centrifydc/kerberos/bin/kinit ad-joiner -kt ad-joiner.keytab
  5. Use the adjoin command without specifying the user option.  Adjoin is Kerberized and it will use the ad-joiner's ticket-granting ticket.
    # adjoin -z Model -c "ou=servers,ou=unix"
    Using domain controller: writeable=true
    Join to domain:, zone: Model succesful

    Centrify DirectControl started
    Initializing cache
  6. At this point the computer has joined the domain.
  7. You can use it for the reverse with adleave.
    # adleave -r 
    Using domain controller: writeable=true
    Left domain.
    Centrify DirectControl stopped.

Adjusting the Process

There are many opportunities to adjust this process and make it better.  Here are some examples:
  • The process can be part of a script that specifies things like zones, computer roles, etc.
  • ADEdit can be used to pre-create the account in the zone and move the computer to the proper computer role.
  • The keytab can be deleted from the local host as part of the script termination process process


No comments:

Post a Comment