Welcome to the Centrify forums.
Although SimpleAD (Samba4, based on Windows Server 2008 R2 AD) is not "officially supported"; there are ways for you to make this work.
Just edit the /etc/centrifydc/centrifydc.conf and enable the parameter adclient.excluded.domains; set the value to exclude your DOMAINDNSZONES.<yoursimplead> and FORESTDNSZONES.<yoursimplead>; in my case I have a SimpleAD called corp.workspaces.demo, therefore my line looks like this:
adclient.excluded.domains: DOMAINDNSZONES.corp.workspaces.demo FORESTDNSZONES.corp.workspaces.demo
After you make this change, make sure you either restart the client or issue the adreload command.
Here's a sanity check sequence:
Installation
# apt install centrifydc Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: centrifydc-curl centrifydc-openldap centrifydc-openssl The following NEW packages will be installed: centrifydc centrifydc-curl centrifydc-openldap centrifydc-openssl 0 upgraded, 4 newly installed, 0 to remove and 36 not upgraded. Need to get 30.9 MB of archives. After this operation, 81.4 MB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 https://repo.centrify.com/deb stable/main amd64 centrifydc-openssl amd64 5.4.1-455 [2,382 kB] Get:2 https://repo.centrify.com/deb stable/main amd64 centrifydc-openldap amd64 5.4.1-455 [2,160 kB] Get:3 https://repo.centrify.com/deb stable/main amd64 centrifydc-curl amd64 5.4.1-455 [345 kB] Get:4 https://repo.centrify.com/deb stable/main amd64 centrifydc amd64 5.4.1-455 [26.0 MB] Fetched 30.9 MB in 7s (4,229 kB/s) Selecting previously unselected package centrifydc-openssl. (Reading database ... 51032 files and directories currently installed.) Preparing to unpack .../centrifydc-openssl_5.4.1-455_amd64.deb ... Unpacking centrifydc-openssl (5.4.1-455) ... Selecting previously unselected package centrifydc-openldap. Preparing to unpack .../centrifydc-openldap_5.4.1-455_amd64.deb ... Unpacking centrifydc-openldap (5.4.1-455) ... Selecting previously unselected package centrifydc-curl. Preparing to unpack .../centrifydc-curl_5.4.1-455_amd64.deb ... Unpacking centrifydc-curl (5.4.1-455) ... Selecting previously unselected package centrifydc. Preparing to unpack .../centrifydc_5.4.1-455_amd64.deb ... Unpacking centrifydc (5.4.1-455) ... Processing triggers for systemd (229-4ubuntu17) ... Processing triggers for ureadahead (0.100.0-19) ... Processing triggers for man-db (2.7.5-1) ... Setting up centrifydc-openssl (5.4.1-455) ... Setting up centrifydc-openldap (5.4.1-455) ... Setting up centrifydc-curl (5.4.1-455) ... Setting up centrifydc (5.4.1-455) ...
Platform check and adcheck
# uname -a
Linux ip-172-31-29-29 4.4.0-1020-aws #29-Ubuntu SMP Wed Jun 14 15:54:52 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux# /usr/share/centrifydc/bin/adcheck corp.workspaces.demo
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PORTMAP : Verify that portmap or rpcbind is installed : Warning
: Could not install CentrifyDC-nis package.
: PORTMAP not installed. Please install required
: portmap or rpcbind package, which CentrifyDC-nis
: depends on
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting Samba installation : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
HOSTNAME : Verify hostname setting : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 172.31.26.34 : Pass
DNSPROBE : Probe DNS server 172.31.40.69 : Pass
DNSCHECK : Analyze basic health of DNS servers : Pass
WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Warning
: You are running OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016.
:
: This version of OpenSSH does not seem to be configured for PAM,
: ChallengeResponse and Kerberos/GSSAPI support.
: To get Active Directory users to successfully login,
: you need to configure your OpenSSH with the following options:
: (display the ones we identified were not set)
: ChallengeResponseAuthentication yes
: UsePAM Yes
:
: Centrify provides a version of OpenSSH that's configured properly
: to allow AD users to login and provides Kerberos GSSAPI support.
DOMNAME : Check that the domain name is reasonable : Pass
ADDC : Find domain controllers in DNS : Pass
ADDNS : DNS lookup of DC aws-d2b29d34ca.corp.workspaces.demo : Pass
ADPORT : Port scan of DC aws-d2b29d34ca.corp.workspaces.demo 172.31.26.34: Pass
ADDC : Check Domain Controllers : Pass
ADDNS : DNS lookup of DC aws-d2b29d34ca.corp.workspaces.demo : Pass
GCPORT : Port scan of GC aws-d2b29d34ca.corp.workspaces.demo 172.31.26.34: Pass
ADGC : Check Global Catalog servers : Pass
DCUP : Check for operational DCs in corp.workspaces.demo : Pass
SITEUP : Check DCs for corp.workspaces.demo in our site : Pass
DNSSYM : Check DNS server symmetry : Pass
ADSITE : Check that this machine's subnet is in a site known by AD : Pass
GSITE : See if we think this is the correct site : Pass
TIME : Check clock synchronization : Pass
ADSYNC : Check domains all synchronized : Pass
2 warnings were encountered during check. We recommend checking these before proceeding
Joining AD
Notice the use of the -n switch to get around the name resolution issue; nowever, note the messages at the end, the client is unable to get some info about the domain.
# adjoin -w -V corp.workspaces.demo Error: computer name should not be localhost or localhost.localdomain Please edit /etc/hosts or your DNS server to set your hostname correctly or use the --name option # adjoin -w -V -n ubuntu01 corp.workspaces.demo Administrator@CORP.WORKSPACES.DEMO's password: Options ------- Precreate: no Compatible with 2.x/3.x: no Enable Apple Scheme to generate UID/GID: no domain: corp.workspaces.demo user: Administrator@CORP.WORKSPACES.DEMO container: null computer name: ubuntu01 Pre-Windows 2000 name: ubuntu01 DNS Host Name used for dNSHostName attr: null zone: Auto Zone server: null zoneserver: null gc: null upn: null noconf: no set time: yes force: no forceDeleteObj: no trust: no des: no self-serve: no use ldap to create computer object: no license type: null Setting time Initializing domain settings file to corp.workspaces.demo Attempting bind to corp.workspaces.demo(site:) as Administrator@CORP.WORKSPACES.DEMO on any server Using domain controller: aws-d2b29d34ca.corp.workspaces.demo writable=true Initializing forest settings file to CORP.WORKSPACES.DEMO Using global catalog server: aws-d2b29d34ca.corp.workspaces.demo Search for object by samName: filter=(samAccountName=ubuntu01$) root=DC=corp,DC=workspaces,DC=demo Searching for well known container for computers Well known container not found, using default Using cn=computers,dc=corp,dc=workspaces,dc=demo container for computer object Saving zone settings Zone name: DC=corp,DC=workspaces,DC=demo Zone version: Zone schema: NULL_AUTO Zone GUID: 00112233445566778899aabbccddeeff Using RPC to create the computer account Searching for newly created computer account: DC=corp,DC=workspaces,DC=demo Search for object by samName: filter=(samAccountName=ubuntu01$) root=DC=corp,DC=workspaces,DC=demo Found existing computer object: CN=ubuntu01,CN=Computers,DC=corp,DC=workspaces,DC=demo Attempting to update computer dns name... Update succeeded! Searching for SPNs in GC... Attempting to update computer service principal names... Update succeeded! Update Computer's Security Descriptor to allow computer object to read/write operating system and operating system version properties as well as reset password. Looking for ntSecurityDescriptor for object CN=ubuntu01,CN=Computers,DC=corp,DC=workspaces,DC=demo .... Checking if the required permissions exist. Not all of the required permissions exist, will add them. Add Allowed ACE to Read and Write operatingSystemVersion for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Read and Write operatingSystem for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Read and Write operatingSystemServicePack for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Reset Password for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Read userAccountControl for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Validate write to servicePrincipalName for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Validate write to dNSHostName for S-1-5-21-755964034-531226104-3608840157-1112. Unset "Trust for delegation" bit. Unset "Use Des Key Only" bit. Set operatingSystemVersion to "6.1:16.04", so that KDC will issue service ticket using AES enctypes. Set also msDS-supportedEncryptionType to "24" Update OS information. This requires computer object update rights... Update OS information succeeded Update License Type: workstation Update Encryption Types Setting machine password... Setting get init cred callback before set password (rc=0). Password change succeeded Samba interoperability is disabled in centrifydc.conf: Skipped synchronizing machine password with Samba Save kerberos join data... Using Win 2003 key version 2 Writing kerberos keytab Updating settings files Join to domain:corp.workspaces.demo, zone:Auto Zone successful Starting daemon Centrify DirectControl started. Waiting for adclient to startup ...... Adclient startup completed! Loading domains and trusts information ............................... .............................Could not get the domain prefix map in allotted time. If there are conflicts it could cause two or more users to have the same UID. You can increase the parameter "adjoin.adclient.wait.seconds" to wait longer. See /etc/centrifydc/centrifydc.conf. Initializing cache . You have successfully joined the Active Directory domain: corp.workspaces.demo in the Centrify DirectControl zone: Auto Zone You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation. Failure to do so may result in login problems for AD users.
Adinfo and adquery user
Note that adinfo comes out fine, but nothing is yielded by adinfo
ubuntu@ip-172-31-29-29:~$ adinfo Local host name: ip-172-31-29-29 Joined to domain: corp.workspaces.demo Joined as: ubuntu01.corp.workspaces.demo Pre-win2K name: ubuntu01 Current DC: aws-d2b29d34ca.corp.workspaces.demo Preferred site: Default-First-Site-Name Zone: Auto Zone CentrifyDC mode: connected Licensed Features: Enabled ubuntu@ip-172-31-29-29:~$ adquery user
Fixing the issue
ubuntu@ip-172-31-29-29:~$ sudo vi /etc/centrifydc/centrifydc.conf ubuntu@ip-172-31-29-29:~$ sudo adreload ubuntu@ip-172-31-29-29:~$ adquery user administrator:x:2113929716:2113929716:Administrator:/home/administrator:/bin/bash aws_workspaces:x:2113930322:2113930322:AWS_WorkSpaces:/home/aws_workspaces:/bin/bash awsadmind-9067260db9:x:2113930319:2113930319:AWSAdminD-9067260DB9:/home/awsadmind-9067260db9:/bin/bash diana:x:2113930324:2113930324:Diana Wirth:/home/diana:/bin/bash lisa:x:2113930325:2113930325:Lisa Simpson:/home/lisa:/bin/bash
Testing with switch user
ubuntu@ip-172-31-29-29:~$ su - administrator Password: Created home directory
Testing with SSH access
$ ssh lisa@localhost Permission denied (publickey). # need to fix SSH server (most likely Passwordauthentication is set to no)
$ sudo vi /etc/ssh/sshd_config
$ sudo service sshd restart
$ ssh lisa@localhost
lisa@localhost's password:
Created home directory
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-1020-aws x86_64)
[trucated]