Welcome to the Centrify Forums.
Linux Mint (released on Nov 27, 2017) is a relatively new revision.
Although we released 2017.3 in December; there was not enough time do enough testing of all the tooling.
Note that install.sh is just a tool to make sure all is kosher to install our client. Most of the time (unless we are talking about a consumer company with a fruit as its logo) Linux and UNIX distributions and flavors are pretty standard.
Most of the time, you can get away with installing the client, joining AD and just using it (the PAM, NSS and Kerberos stacks stay relatively static).
Have you tried installing the client using apt/dpkg and running adjoin manually?
sudo dpkg -i [centrify-package-name].deb
sudo dpkg -i centrifydc-5.4.3-deb7-x86_64.deb
sudo adjoin -w -u [user-authorized-to-join-system-to-active-directory] -V -c ou=container,ou=for-system [domain.name]
sudo adjoin -w -c "ou=servers,ou=centrify" -u winadmin -V example.com
From that point on I'd inspect the NSS, PAM and Kerberos environments and try to log in with my AD users.
Note: In the practical world, most people just try to log-in right away, but I'm adding this chunk of info for future readers:
How to check to see if your new (officially unsuported) distribution can work (at least for basic funtionality)
Basic information
- Centrify leverages the NSS & PAM UNIX frameworks and the Kerberos protocol to integrate to Active Directory.
- Nothing is actually changed (other than placing the binaries in the right folders) unless the adjoin command is run succesfully.
Inspecting the NSS environment
To check what AD users are visible (all in Express/Workstation mode)
$ adquery user # Using Centrify native commands
$ getent passwd -s centrifydc # Using classic NSS commands
To check what AD groups are visible (all in Express/Workstation mode)
$ adquery group
$ getent group -s centrifydc
Should these not resolve, I'd check to see if the /etc/nsswitch.conf was properly populated after adjoin. This would be a major indicator of incompatibility.
Checking basic functionality
The quickest way to see if things are OK is to look at the output of adinfo.
$ adinfo Local host name: system-name Joined to domain: example.com Joined as: system-name@example.com Pre-win2K name: system-name Current DC: dc.example.com Preferred site: SiteName Zone: Auto Zone CentrifyDC mode: connected Licensed Features: Enabled
If you are connected, the site is properly named and you can hit at least a DC, you can rest assured things are relatively fine. If you have issues here (like disconnection), things need to be studied further (e.g. like with adinfo -T).
Inspecting the PAM stack
Review if the PAM stack was properly populated after adjoin:
$ view /etc/pam.d/common-auth
You are looking for lines inserted by Centrify DirectControl.
# lines inserted by Centrify Direct Control { CentrifyDC 5.4.3-887 }
auth sufficient pam_centrifydc.so
auth requisite pam_centrifydc.so deny
[truncated]If this is populated correctly, you can try a PAM-enabled application to see if Auth is working.
What I typically recommend is that you use switch user (this excludes any terminal or console program like SSH or login).
$ su - [ad user]
What's expected: You should be prompted for the AD password of the user. Should everything be OK and you can switch accordingly, things are OK in the PAM stack, at least with su.
Inspecting Kerberos
The Kerberos environment is automatically configured by Centrify once the system is joined. You can:
- Inspect the the Kerberos configuration file
$view /etc/krb5.conf
What to look for: entries for domain controllers, encryption levels and trusts based on your AD infrastructure should be populated automatically. - Inspect the system Keytab
$ sudo /usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5.keytab
What to look for: KVNOs, Timestamps and Principal names for: host, nfs, smb, http, etc. These are added by Centrify as a courtesy (configurable). - Obtain a TGT (optionally a service ticket)
$ sudo /usr/share/centrifydc/kerberos/bin/kinit [AD user Name]
What to look for: Run klist (from the path above) and you should have a TGT for the user in question.
At this point, unless you have something funny happening with the OpenSSH server, you should be able to log in.
Note that although this may just work, the next release will officially support the distro in question along with the tooling.
R.P