centrifying: November 2015

Centrifying

Background
This article provides a quick-and-dirty Chef recipe that deploys the Centrify agent, authenticates against AD, joins Active Directory, joins a Centrify zone and a computer role. This article is a modified version of a Centrify community post I authored.

Disclaimers

This article provides a "quick basic configuration"; in a true deployment you have to account for high-availability, replication, security, package integrity, supported platforms, supported versions, change control, etc.
All names, logos and trademarks used in this articles correspond to their existing owners.
We are not YUM or Chef subject-matter experts. This would not be possible without the excellent tutorials provided by Chef Software.

What is required?

An Active Directory domain with a zone (you can make it work in workstation/express mode)
A Centrify zone and a Computer Role (optional)
An Active Directory service account for joins and removals, plus a keytab for the account and a usable krb5.conf file. Read this article if you want to know how to create the service account and obtain the keytab.
A RHEL-based system with enough storage for the Centrify RPM packages for each platform (or just for the subset you need to support).
This system has to be set up like the original article with a YUM repo and the Centrify bits.
A second RHEL-derivative system with the ChefDK installed to test the recipe locally.
To download the ChefDK, go to this site: https://downloads.chef.io/chef-dk/

Note: Although it's possible for you to follow this and put together a working prototype, I strongly-encourage that you really explore the concept of infrastructure as code.
Finally, By no means what's outlined here is ready for production. Check out the reading list below.

Example Diagram
Chef Blog - Diagram.png

Implementation Steps

Planning

The goal of this lab is to be able to deploy the Centrify bits in a RedHat, CentOS, Scientific or Oracle system in a consistent way. The 'core' process without checking for major dependencies or issues is to:

Install Centrify DirectControl
Authenticate against Active Directory with an account with minimal rights
Join Active Directory

Building Blocks

YUM Repository with Centrify RPMs (completed in the previous lab)
AD account + keytab (steps outlined in a previous post)
Usable krb5.conf: You can copy this file from any Centrified system; however, depending on where you're onboarding the system, you want to edit the file only with the DCs that are reachable to the new system.

Make the krb5.conf and service account keytab available to your infrastructure

In the original article, we piggy-backed on the Apache webserver as the transport for our repository. Now we're going to create another folder for utilities (utils for short) and copy the keytab and krb5.conf file.

Create a folder under /var/www/html
$ sudo mkdir /var/www/html/centrify/utils
Copy the RPMs to the folder.$ cd /path/to/files
$ sudo mv krb5.conf /var/www/html/centrify/utils
$ sudo mv ad-joiner.keytab /var/www/html/centrify/utils
Set the proper permissions in the folder
chmod -R ugo+rX /var/www/html/centrify/utils
Verify that the files are accessible via the web server (you may have to check the firewall settings)

Perform a basic installation of the ChefDK

Go to https://downloads.chef.io/chef-dk/ and download the latest ChefDK bits.
Install the bits
$ dzdo rpm -Uvh chefdk-0.10.0-1.el7.x86_64.rpm
Set the ruby path to the Chef-provided version
$ echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile
Logout and log back in to verify the ruby path
$ which ruby
/opt/chefdk/embedded/bin/ruby

Create and test your stand-alone Chef Recipe

Create a file
$ vi install-centrifydc.rb
Here are the contents of my file

# This stand-alone recipe will install the Centrify Agent on RHEL derivatives, 
# joins Active Directory and places the system in a Computer Role
# Notes: This recipe is not idempotent (achieving this is up to you!)

# Variables for my environment (see blog post)
# domain is the most basic parameter to join Active Directory

domain = 'centrify.vms'

# in Zone Mode (licensed with UNIX identity and Access Control) the zone
# parameter corresponds is where the system will be placed

zone = 'Global'

# OU is where your computer object will be placed in Active Directory
# your ad-joiner account should be able to join systems to this container

ou = 'ou=servers,ou=centrifyse'

# A Computer role is one of the ways to group systems and define access 
# control a system may be a member of multiple computer roles.  
# E.g.  a LAMP system may be accessible by Web Admins, Developers and 
# DBAs

crole = 'PCI Servers'

# In a pre-requiste blog entry, I outlined how to create a YUM repository for 
# RHEL and derivatives.  This means that you need a yum or apt repo with 
# the Centrify packages.  Per Chef, the default action will be to install the package.

package 'CentrifyDC'

# Centrify's utilities are Kerberized, this means that they will use the current
# user's Kerberos TGT to attempt the transaction against AD.  However, in a 
# virgin system, there are no working krb5.conf files, therefore kinit won't know
# how to find a KDC to authenticate against.  This is why we need a krb5.conf 
# file from a working system (or that points to a reachable Domain Controller), 
# in the previous blog entry, we piggy-backed on an Apache Web server to serve those files.

remote_file '/tmp/krb5.conf' do
  source 'http://linux2.centrify.vms/centrify/utils/krb5.conf'
  owner 'root'
  group 'root'
  mode '0644'
  action :create
end

# The keytab corresponds to a service account that has the minimal rights, in 
# this case, the rights to write a computer object in the designated container 
# (ou) needless to say, you need to treat this file with care and if posible, 
# remove when complete.

remote_file '/tmp/ad-joiner.keytab' do
  source 'http://linux2.centrify.vms/centrify/utils/ad-joiner.keytab'
  owner 'root'
  group 'root'
  mode '0644'
  action :create
end

# In this command, we authenticate against AD with the keytab of our service 
# account.  Note that we are using the usable krb5.conf file so kinit can reach
# a KDC (domain controller).  The end-result is that root (or sudo) user will
# have a TGT and you don't need to put keys, hashes or passwords in your script.

execute 'kinit' do
  command "env KRB5_CONFIG=/tmp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /tmp/ad-joiner.keytab ad-joiner"
end

# Finally we run adjoin.  At this point we are using the variables from my 
# environment.  Although in doing so, we broke the 'idempotent principles, I'm 
# certain that Chef experts will understand how to implement an independent cookbook

execute 'adjoin' do
   command "/usr/sbin/adjoin -z #{zone} -c #{ou} -R \"#{crole}\" -V #{domain}"
end


# Cleanup
execute 'kdestroy' do
  command "env KRB5_CONFIG=/tmp/krb5.conf /usr/share/centrifydc/kerberos/bin/kdestroy"
end

file '/tmp/ad-joiner.keytab' do
   action :delete
end

file '/tmp/krb5.conf' do
   action :delete
end

Verify the recipe

$ sudo chef-apply install-centrifydc.rb
Recipe: (chef-apply cookbook)::(chef-apply recipe)
  * yum_package[CentrifyDC] action install
    - install version 5.2.3-429 of package CentrifyDC
  * remote_file[/tmp/krb5.conf] action create
    - create new file /tmp/krb5.conf
    - update content in file /tmp/krb5.conf from none to 186d5f
 [truncated]
  * execute[kinit] action run
    - execute env KRB5_CONFIG=/tmp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit -kt /tmp/ad-joiner.keytab ad-joiner
  * execute[adjoin] action run
    - execute /usr/sbin/adjoin -z Global -c ou=servers,ou=UNIX -R "App Servers" -V centrify.vms

Verification Video

Adjustments

There are absolutely many improvements that can be made. Here are a few that come to mind (in no specific order):

Check for Perl: CentrifyDC requires Perl 5.8 and up.
Chek for DC connectivity: You can potentially check for connectivity to KDCs prior to attempting to authenticate.
Inspect the name of the system: In keeping with AD Naming conventions, we should check for length and uniqueness in the forest prior to join.
Check if the system is already joined or in the desired zone/forest.
Inspect the IP/DNS configuration: Maybe the TCP/IP and DNS config is not right.
Perform a Dynamic DNS update using addns: After join, you can use addns to get the system registered with Microsoft DNS
Obtain Certificates with ADCert: If the system is used for SSL communications, you can get the cert manually using adcert.
Manage centrifydc.conf: There are some basic parameters that may not be manageable via GPO (e.g. DMZ) that can be managed from there.
New Information: Centrify DirectControl can provide information to Chef regarding the AD topology.
Add dependent packages: LDAP Proxy or Centrify DirectAudit/DirectSecure come to mind.
Most importantly: This requires a cookbook! Make it as idempotent as possible!

Reading List

Although any capable IT admin is able to spend a few hours and make something like this work, my advice is to explore deeper the concepts around 'Infrastructure as Code'; I'm of the opinion that it's a game-changing paradigm. I recommend (still reading):

RESTFul Web APIs (Richardson)
Test-Driven Infrastructure with Chef (Nelson-Smith)
Learn Chef Tutorials at (http://learn.chef.io)

For a "removal" recipe, see the this Centrify Community post.

Centrifying

Background on the Sarbanes-Oxley Act

You need to understand what a security analyst or auditor is asking of you, let's start with the basics:

What is SOx?The Sarbanes-Oxley act of 2002 or “Public Company Accounting Reform and Investor Protection Act”
Who needs to comply with it?All publicly-traded companies.
How can you prove due-diligence with SOx?They need to provide the assurance that systems that impact financial statements have implemented the proper security controls.
What is the point of SOX?The main intention of SOX is to establish verifiable security controls to protect against disclosure of confidential data, and tracking of personnel to detect data tampering that may be fraud related. The central purpose of the act is to reduce fraud, build public confidence and trust, and protect data that may affect companies and shareholders.
What is the cost of non-conformance?Very steep penalties and/or prison time for executives.
What systems are bound by SOx rules?Any system that supports applications that impact the business bottomline. Your organization should have written guidelines to categorize the data that travels or is stored in those systems.
What are the guidelines to determine if a system may be bound by SOx?This should be defined by a risk assessment exercise, however, a simple model is to use the CIA rating (Confidentiality-Integrity-Availability). This triad can be used to do a simple test. As yourself these 3 questions.
If the data on these systems....
a) is made public (confidentiality breach)
b) is tampered with or not reliable
c) is not available (system down)
... is there an impact to the organization's bottomline (financial, reputation, major productivity loss)?
The answer to this question should give you a pretty good idea. As a matter of fact, any system that falls into that category (infrastructure like Routers, Switches, DNS, PKI, etc.) has impact to operations.

What are the common misconceptions of the SOx Act?
That you should only produce reports (e.g. lists of users in the context of IAM). The whole point of the concept of "verifiable security controls" is to prove the effectiveness of the controls; the reason why organizations have to produce reports is due to legacy issues.
For example, if you are using /etc/passwd for 20 users, you have to potentially attest for 20 different user/attestation reports.

Now let's discuss how Centrify can help.

Centrify-Sarbanes Oxley Reference Guide
This table, should be a good starting point; however we ask that you reconcile this information with your organization's security policies, guidelines and procedures.

Section	What it means	Centrify Products/Features	Centrify Implements
Section 302.2 – Establish safeguards to prevent data tampering.	Controls are implemented to prevent, correct or detect data breaches	DirectControl, DirectAuthorize, DirectAudit / Privileged user management, logging, auditing	Centrify implements a RBAC mechanism that allows to control: a) Who can access a system b) How they can access the system (console, SSH, RDP, etc) c) What can they do in that system (DirectAutorize) This approach protects systems end-to-end and it’s not password-centric. It’s called Least Access/Least Privilege Principle Resource: What is DirectAuthorize?
Section 302.4.B – Establish verifiable controls to track data access.	Controls are implemented to attest who has access	DirectControl, DirectAuthorize, DirectAudit / Reporting, Auditing	All access and privilege elevation events are logged to UNIX/Linux syslog and the Windows Event log (if Kerberos events are being audited)
Section 302.4.C – Ensure that safeguards are operational	Self-described	DirectControl, DirectAuthorize, DirectAudit / site awareness, watchdog, caching, offline audit	Centrify implements the following high-availability mechanisms: a) AD Site/Services awareness – this means that it will failover upon domain controller failure b) Offline Cache: in case of no DC availability it can provide login with cached credentials c) Telemetry calculations: the client proactively will probe to see if it’s talking to the most optimal DC. d) Watchdog processes: Implements a watchdog daemon that will spawn new processes if needed. Resource: Youtube Playlist - HA Mechanisms.
Section 302.4.D – Periodically report the effectiveness of safeguards.	Attest that controls are working as expected	DirectControl, DirectAuthorize, DirectAudit /enhanced logging, alerts.	Centrify Implements a) Console-based reporting b) Script-based reporting (UNIX, Windows PowerShell) c) SQL-Server Based Reporting (CSS 2016, now in Beta)
Section 302.5.A&B – Detect Security Breaches	Self-described	DirectControl, DirectAudit / logging, capture and replay	Centrify Provides: a) Event log and syslog logging b) Session Transcripton (EE) c) Session Capture and Replay (DVR-like) (EE) d) Event consolidation (EE) e) Event reporting (EE)
Section 404.A.1.1 – Disclose security safeguards to independent auditors. Section 404.A.2 – Disclose security breaches to independent auditors. Section 404.B – Disclose failures of security safeguards to independent auditors.	Demonstrate the existence of a security framework, for example: • Procedures to eliminate terminated (or changed) employees • Password Policy • Separation of Duties • Attestation	DirectControl, DirectAuthorize, DirectAudit / zone provisioning agent, policy enforcement, zone delegation, role-based access, reporting, logging, auditing	Centrify allows for a) Collapsing the termination of users directly in active directory b) The password policy from Active Directory is reused in UNIX, Linux, Mac and Apps c) Provides mechanisms to implement delegation and separation of duties.

The bottomline is this:
Organizations that have multiple identity silos (like /etc/passwd or /etc/group) have a very hard time (or have a lot of complexity or an army of people) just to manage simple tasks like the user/group life-cycle (add/moves/changes). With Centrify and Active Directory these tasks become centralized, making the security controls more effective. Organizations effectively piggy-back on existing processes, so when you get the question "how can you prove that you're performing on-time user add/moves or changes?" you can simply say: "This is all tied to our Active Directory processes and procedures"

Here's a good sequence (for user adds/moves and policy)

1. Log on to a UNIX, Linux or Mac with an AD user.
2. Show the system log (messages log, syslog or event log)
3. Logoff and Disable the user in AD
4. Attempt login (you should fail).  Show the log again.
5. Re-enable the user and log in.
6. Try to change the password to something misaligned with policy (like 1235).
7. Show the failure in password updates.

Note: You have to be auditing logon success and failure events in Active Directory Domain Controllers to see this. You can set this up by enabling success and failure of the Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Account Logon Events GPO.

Samples:
In this sequence, the user Diana (dwirth) logs in to a CentOS system via SSH.

Event on UNIX/Linux:

Jul 27 17:17:55 engcen5 adclient[3313]: INFO  AUDIT_TRAIL|Centrify Suite|PAM|1.0|200|
PAM set credentials granted|5|user=dwirth(type:ad,dwirth@CENTRIFYIMAGE.VMS) 
pid=25913 utc=1438035475776 centrifyEventID=24200 status=GRANTED service=sshd tty=ssh 
client=member.centrifyimage.vms

Event on Windows:
Event Viewer - Kerberos success.png

Centrify Architecture and Credential Consolidation
You often have to explain how our solution is architected. The bottomline is that for all intends and purposes, the system acts like a Windows system. However, you may need to materialize diagrams like this:

Make sure you explain that Centrify uses UNIX frameworks, standard protocols and Microsoft Active Directory specifications. Here are some of the key ones:

Name Service Switch (NSS) –provides a facility to the OS for sources of identity information like users and groups
Pluggable Authentication Modules (PAM) – provides a facility to the OS applications to abstract authentication providers.
Kerberos: Centrify communicates with AD for authentication using Kerberos. Kerberos is an authentication protocol that relies on a Key Distribution Center and Authentication servers. The whole principle behind Kerberos is the use of mutual authentication, tickets, encryption and mechanisms to detect replay attacks. Centrify provides MIT-Kerberos based tools and libraries that have been optimized to work with Microsoft’s Active Directory Kerberos implementation.
High-availability is provided by AD Site Awareness, offline credential cache, telemetry calculations and the watchdog process.

How does the authentication process work?
At a very simple level:

A UNIX-enabled AD user attempts to log in using a PAM-enabled(*) application (like login or SSH)
An application like login uses the Centrify PAM module to attempt to log in.
The PAM modules will perform a series of checks, e.g. (user is authorized, AD account in good standing), password is correct, etc,
Kerberos: The system will use a mutually authenticated encrypted connection (with the highest allowed encryption) to talk to a domain controller and get the appropriate service tickets.
The user will be logged in to the system via the corresponding application (e.g. login, SSH)
(see the attachment)

Encryption Levels
You may be asked about encryption too. Make sure you explain that in an Active Directory environment, encryption algorithms and strength are defined by the version and functional level of the environment. For example, an AD DC that is running in 2008R2 functional level will use AES256 for encryption, previous versions would use lower encryption levels. The Centrify agent will follow the levels defined by Active Directory.

Passwords are stored in Active Directory domain controllers and the encryption level is defined by the msDS-SupportedEncryptionTypes attribute. To view the encryption levels supported by your current infrastructure, consult your AD team, or look at the /etc/krb5.conf configuration of any Centrified system.

Encryption is used for two areas:

Kerberos transactions (encryption in traffic – self-explanatory)
Offline cache: Centrify just like Windows supports the use of offline logins, as a compensating high-availability mechanism in case of lack of communication with a Domain controller. The encryption levels for the offline has are the ones available by the AD functional level. The parameter to encrypt the hash of the offline credential is cache.encrypt (or its corresponding Group Policy Object) and you can force an encryption type by using the adclient.cache.encryption.type (or the corresponding GPO).

Due Diligence
Due to Centrify’s penetration in high-security environments, we’ve had to perform additional due diligence and have achieved the following certifications:

Common Criteria EAL2+: https://www.commoncriteriaportal.org/files/epfiles/centrify-v20132-cert-eng.pdf
FIPS 140-2: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2011.htm#1604
For additional certifications: http://www.centrify.com/solutions/federal/certifications/

Resources:

Centrify Configuration and Tuning Guide: https://www.centrify.com/downloads/products/documentation/suite2015/centrify-unix-config-guide.pdf (page 31 – adclient.cache encrypt/encryption.type)
About functional levels: https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx
About Active Directory encryption levels: https://msdn.microsoft.com/en-us/library/cc223853.aspx

Identity: Why aren’t AD Schema extensions or software in Domain Controllers required?
I've seen instances in which the auditor/security analysts asks this question.
As it relates to identity data, Centrify has several ways to use Active Directory without requiring Schema Extensions:

Pre-Windows 2003R2 AD functional levels: Centrify zones implement mechanisms to store UNIX identity information in classic zones.
Windows 2003R2 and above functional levels: Centrify can use identity stored in the RFC2307 attributes implemented natively in this schema.
Services for UNIX (SFU) Schema: If a customer or prospect extended the AD schema to SFU, we can store information there (although it provides less flexibility than Centrify zones).

In addition, Centrify subscribes to Microsoft’s documented APIs (ADSI), therefore there’s no need to add software in domain controllers.

Resources for Identity:

Video – How DirectControl stores information in Active Directory: https://www.youtube.com/watch?v=JO3_AJObkAs
in this video, the CTO and creator of DirectControl, explains how Centrify stores data in AD.
RFC 2307: https://www.ietf.org/rfc/rfc2307.txt
Attached - The “Understanding the Centrify DirectControl Agent.pdf” excerpt; explains the process step by step and more detail.

(*) Centrify provides functionality for IBM Loadable Authentication Modules (LAM) as well.

Application Edition
If an Application (Apache, Java, DB2, SAP) initiates an authentication request via an interface (SPNEGO, GSSAPI, SASL, SNC, etc) ultimately the agent will use Kerberos for authentication.

In addition Centrify has a whitepaper titled "Using Microsoft Active Directory to Address Sarbanes-Oxley (SOX) Compliance in Heterogeneous Environments".

Note: the original version of this article was published in the Centrify Community.

Centrifying

Background
The foundation to many deployment or orchestration tools is to have private hosted repositories of source installation packages. Centrify offers native packages for all the supported platforms. In addition, Centrify also offers install.sh; this script and the answer files can abstract the underlying package manager for UNIX, Linux or Mac systems.
Install.sh - Benefits.jpg

This means that you can use an NFS Server, a Samba Server, a Web Server or your package manager in conjunction with the Centrify bits to deploy software easily across your enterprise. Alternatively, the Yellow-Dog Updater Modified (YUM) (and APT) provide a simple to set-up and robust package manager that can be used primarily with RedHat and derivative platforms.

Disclaimers

This article provides a "quick basic configuration"; in a true deployment you have to account for high-availability, replication, security, package integrity, supported platforms, supported versions, change control, etc.
All names, logos and trademarks used in this articles correspond to their existing owners.

What is required?

A RHEL-based system with enough storage for the Centrify RPM packages for each platform (or just for the subset you need to support).
If using web as the delivery mechanism, the web server (Apache) has to be set and configured accordingly.

Example Diagram
repo model.png

In my mock organization, there are different types of RHEL derivatives, including RedHatEnterprise, Fedora, Oracle, Scientific Linux, etc, all running on different architectures, including Intel (32 and 64 bit) , zLinux IBM s390, Itanium and IBM Power processors.

Implementation Steps

Verify pre-requisites. I'm planning to use http as the transport for my repo.

# Check if Apache is installed
$ sudo  yum list installed | grep httpd
httpd.x86_64            2.2.15-47.el6.centos
httpd-tools.x86_64      2.2.15-47.el6.centos

# If not present
$ sudo yum install httpd
$ sudo chckconfig httpd on
$ sudo service httpd start

Install the createrepo package

$ sudo yum install createrepo

Download the Centrify Bundle for the platforms to be supported.
Example data: in my mock organization, I will be supporting the bits for 2014.1 and 2015.1. This organization has a policy to only deploy maintenance releases.

Go to the Centrify Customer Center and Navigate to the Downloads Section.
Identity the bundle for 2015.1 and 2014.1:

The bundle is available in ISO or ZIP formats.

Copy and unzip the bundle in a staging server. Note that ALL the platforms are present. We are only interested in the .TGZ files that contain the word "rhel" in the name.

centrify-suite-2015.1-rhel4-i386.tgz      <= this is for Intel x86
centrify-suite-2015.1-rhel4-ia64.tgz      <= this is for Itanium
centrify-suite-2015.1-rhel4-ppc.tgz       <= this is for Power
centrify-suite-2015.1-rhel4-x86_64.tgz    <= this is for Intel x64
centrify-suite-2014.1-rhel5-s390x.tgz     <= this is for zLinux

Gunzip and untar all those files (using tar xzvf package-name.tgz). You will see RPMs for all the software included. Here's a description of all packages:
CentrifyDA is the audit agent, only used with Enterprise Edition or Privilege Service.
CentrifyDC is adclient; can be used in Express mode or Zone mode (licensed)
CentrifyDC is absolutely the only package required in most scenarios. Any other package, and you're in the land of "you must know what you're doing"
CentrifyDC-ldapproxy is the Centrified OpenLDAP Server - required to support filers or older apps over LDAP interfaces
CentrifyDC-nis is another proxy. It exists to support legacy NIS scenarios. Needless to say, this is a transitional package, using NIS is a bad idea and will lead to audit comments.
CentrifyDC-openssh is our provided version of OpenSSH; since SSH has matured to provide PAM, GSSAPI and even Kerberos support, 80% of the time is not needed, however, if you have an older UNIX or are in a complex AD, this package can be your friend.

Example data: If we follow the example, there should be 5 RPM packages for each of the different architecture. However, since there's variability on the s390 package releases, I ended up with 38 packages.

Tip: use the rpm -qpil command to inspect them. You'll see that they are very well docummented.

Copy the Centrify RPMs to the target location and verify access
In my over-simplistic example, we'll piggy-back on the default website.

Create a folder under /var/www/html
$ sudo mkdir /var/www/html/centrify
Copy the RPMs to the folder.$ cd /path/to/centrify/staging
$ sudo mv * /var/www/html/centrify
Set the proper permissions in the folder
chmod -R ugo+rX /var/www/html/centrify
Verify that the files are accessible via the web server (you may have to check the firewall settings)

Create your Repository

Use the createrepo command to create the repository

$ sudo createrepo --database /var/www/html/centrify

Update the repository database

$ sudo createrepo --update /var/www/html/centrify
Spawning worker 0 with 38 pkgs
Workers Finished
Gathering worker results

Create your repository's configuration file
In this simple configuration, we ended-up with this file (centrify.repo):

[centrify]
name=centrify
baseurl=http://linux2.centrify.vms/centrify
enabled=1
gpgcheck=0

Note: We are adding a keytab from a least privilege AD user that can only perform the join (or leave). This will ensure that we don't need to put any passwords, keys or hashes in our provisioning script. For more information on how to create the AD account and corresponding keytab, see this article.

Verify that your Repository is working

Log in to a test system, copy or create the centrify.repo file in the /etc/yum.repos.d folder
$ sudo cp /path/to/centrify.repo /etc/yum.repos.d/centrify.repo

Checking package availability and Metadata

$ sudo yum install centrifydc
No package centrifydc available.
  * Maybe you meant: CentrifyDC
# This verifies that our metadata is OK.

More information about CentrifyDC (the base package) - output truncated.

$ sudo yum info CentrifyDC
Available Packages
Name        : CentrifyDC
Arch        : i386
Version     : 5.2.3
Release     : 429
Size        : 25 M
Repo        : centrify
Summary     : Centrify DirectControl Agent
URL         : http://www.centrify.com/
License     : Copyright (C) 2004-2015 Centrify Corporation
Description : RPM to install Centrify DirectControl on Linux x86 platforms.

Name        : CentrifyDC
Arch        : x86_64
Version     : 5.2.3
Release     : 429
Size        : 34 M
Repo        : centrify
Summary     : Centrify DirectControl Agent
URL         : http://www.centrify.com/
License     : Copyright (C) 2004-2015 Centrify Corporation
Description : RPM to install Centrify DirectControl on Linux x86_64 platforms.

Note that I can see that the lastest version is available for two platforms that may apply to my system.

Let's verify the integrity of dependencies (LDAP Proxy depends on DirectControl)

$ repoquery --requires CentrifyDC-ldapproxy
/bin/sh
CentrifyDC <= 5.2.3-999
CentrifyDC >= 5.2.3-000
/bin/sh
CentrifyDC <= 5.2.3-999
CentrifyDC >= 5.2.3-000

Let's install DirectControl

$ sudo yum install CentrifyDC

Resolving Dependencies
--> Running transaction check
---> Package CentrifyDC.x86_64 0:5.2.3-429 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch            Version            Repository         Size
================================================================================
Installing:
 CentrifyDC          x86_64          5.2.3-429          centrify           34 M

Transaction Summary
================================================================================
Install       1 Package(s)

Total download size: 34 M
Installed size: 87 M
Is this ok [y/N]:

Putting it All Together
Ultimately, there are 3 operations to onboard a Centrify system in AD.

Get the package and install it [we should be good here]
Verify that the system is ready to join (OS check, Perl, inspect DNS, check for communicaton with AD)
[read below note #1]
Use the adjoin command to activate DirectControl and join AD.
[read below note # 2]

Note # 1: With YUM you have a reliable way to get the packages across for multiple RHEL derivatives; however, your logic should include adcheck in the mix if you're not using an enterprise image. Ideally you would always do QA and use supported platforms and have a standard DNS configuration that includes the ability to get an authoritative response from a Domain controller. If that's the case, and there are no firewalls in-between, adjoin should just work.

Note # 2: We have covered adjoin extensively; keep in mind that it is Kerberized and it won't require a password to work. Its counterpart (adleave) will work the same way, and it's essential for cleanup and releasing of licenses (otherwise they will count for 45 days against your usage).

The ultimate automation script should contain just 3 lines:

yum install CentrifyDC
kinit to authenticate to authorized AD user
adjoin

In my example:

$ yum install CentrifyDC
$ env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit 
-kt /temp/ad-joiner.keytab ad-joiner
$ adjoin --zone Global --container "ou=servers,ou=centrifyse" 
--computerrole "PCI Systems" centrify.vms

Verification Video (5 minutes, 10 seconds)

Appendix: Flipping the script - deprovisioning

In elastic environments, decommisioning a system (or 'Terminating' in AWS lingo) has a Centrify implication; it has to do with proper Active Directory hygiene and licensing purposes(*). The proper way to leave the domain is to use the remove option of the adleave command. Based on my example, If I wanted to leave the domain and uninstall Centrify here's the sequence:

kinit to an account that is authorized to remove the computer from the domain
use the adleave -r command
optional: use yum erase CentrifyDC

In my example:

$ env KRB5_CONFIG=/temp/krb5.conf /usr/share/centrifydc/kerberos/bin/kinit 
-kt /temp/ad-joiner.keytab ad-joiner
$ adleave --remove
$ yum erase CentrifyDC

(*) If you don't use the "--remove" option with adleave, you are creating an orphaned object in the zone and a computer object that is disabled. It takes 45 days for the Centrify consoles to consider this system as inactive; inactive systems don't count against your Centrify license counts. You can run the Analyze tool to find and clean orphaned and tombstoned objects.

This article was originally posted for the Centrify Community here:
http://community.centrify.com/t5/Get-Started-How-To-s/bg-p/GetStartedHow

Sections

Saturday, November 28, 2015

Deploy Centrify and Join Active Directory automatically with a simple Chef recipe

Monday, November 16, 2015

Security Corner - How to demonstrate alignment with Sarbanes-Oxley with Centrify for UNIX/Linux and Active Directory

Saturday, November 14, 2015

Setting up a simple YUM repository to deploy Centrify for RHEL and derivatives