We provide tooling like DM, install-express.sh, etc as a courtesy. The best practice is to use DevOps tooling like ansible, chef, puppet, etc. to do the deployments; these tools leverage the native package installer for the corresponding OS. We provide all native packages with our software.
Here's a sequence of an installation I just did in my RHEL7.4
OS Version
$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo)
Decompressing files
$ ls centrify-infrastructure-services-18.11-rhel5-x86_64.tgz$ tar xzvf centrify-infrastructure-services-18.11-rhel5-x86_64.tgz . ./adcheck-rhel5-x86_64 ./CentrifyDA-3.5.2-557-rhel5.x86_64.rpm ./CentrifyDA-3.5.2-rhel5.x86_64.rpm ./CentrifyDC-5.5.2-578-rhel5.x86_64.rpm ./CentrifyDC-5.5.2-rhel5.x86_64.rpm ./CentrifyDC-cifsidmap-5.5.2-578-rhel5.x86_64.rpm ./CentrifyDC-cifsidmap-5.5.2-rhel5.x86_64.rpm ./CentrifyDC-curl-5.5.2-578-rhel5.x86_64.rpm ./CentrifyDC-curl-5.5.2-rhel5.x86_64.rpm ./centrifydc-install.cfg ./CentrifyDC-ldapproxy-5.5.2-578-rhel5.x86_64.rpm ./CentrifyDC-ldapproxy-5.5.2-rhel5.x86_64.rpm ./CentrifyDC-nis-5.5.2-578-rhel5.x86_64.rpm ./CentrifyDC-nis-5.5.2-rhel5.x86_64.rpm ./CentrifyDC-openldap-5.5.2-578-rhel5.x86_64.rpm ./CentrifyDC-openldap-5.5.2-rhel5.x86_64.rpm ./CentrifyDC-openssh-7.7p1-5.5.2-568-rhel5.x86_64.rpm ./CentrifyDC-openssh-7.7p1-5.5.2-rhel5.x86_64.rpm ./CentrifyDC-openssl-5.5.2-578-rhel5.x86_64.rpm ./CentrifyDC-openssl-5.5.2-rhel5.x86_64.rpm ./centrify-suite.cfg ./install-express.sh ./install.sh
Installation using RPM with local files
Note: CentrifyDC depends on CentrifyDC-curl, CentrifyDC-openssl and CentrifyDC-openldap.
$ sudo rpm -Uvh CentrifyDC-curl-5.5.2-rhel5.x86_64.rpm CentrifyDC-openldap-5.5.2-rhel5.x86_64.rpm CentrifyDC-openssl-5.5.2-rhel5.x86_64.rpm CentrifyDC-5.5.2-rhel5.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:CentrifyDC-openssl-5.5.2-578 ################################# [ 14%] 2:CentrifyDC-curl-5.5.2-578 ################################# [ 29%] 3:CentrifyDC-openldap-5.5.2-578 ################################# [ 43%] 4:CentrifyDC-5.5.2-578 ################################# [ 57%] Cleaning up / removing... 5:CentrifyDC-openldap-5.4.3-887 ################################# [ 71%] 6:CentrifyDC-curl-5.4.3-887 ################################# [ 86%] 7:CentrifyDC-openssl-5.4.3-887 ################################# [100%]
Done. Note that this only places the binaries in the system. Our software is not activated until adjoin is run successfully.
Verify not joined
$ adinfo Not joined to any domain Licensed Features: Enabled
Check readiness to join Active Directory
$ /usr/share/centrifydc/bin/adcheck centrify.vms
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting Samba installation : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
HOSTNAME : Verify hostname setting : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 192.168.81.10 : Pass
DNSPROBE : Probe DNS server 192.168.81.11 : Warning
: This DNS server does not respond to requests. This is a serious problem
DNSCHECK : Analyze basic health of DNS servers : Warning
: One or more DNS servers are dead or marginal.
: Check the following IP addresses in /etc/resolv.conf.
:
: The following table lists the state of all configured
: DNS servers.
: 192.168.81.10 (dc.centrify.vms): OK
: 192.168.81.11 (unknown): dead
: Only one good DNS server was found
: You might be able to continue but it is likely that you
: will have problems.
: Add more good DNS servers into /etc/resolv.conf.
WHATSSH : Is this an SSH that Centrify DirectControl Agent works well with: Pass
SSH : SSHD version and configuration : Warning
: You are running OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017.
: Cannot read /etc/ssh/sshd_config, you should run adcheck as root.
DOMNAME : Check that the domain name is reasonable : Pass
ADDC : Find domain controllers in DNS : Pass
ADDNS : DNS lookup of DC dc.centrify.vms : Pass
ADPORT : Port scan of DC dc.centrify.vms 192.168.81.10 : Pass
ADPORT : Port scan of DC dc.centrify.vms 192.168.184.167 : Pass
ADDC : Check Domain Controllers : Pass
ADDNS : DNS lookup of DC dc.centrify.vms : Pass
GCPORT : Port scan of GC dc.centrify.vms 192.168.81.10 : Pass
GCPORT : Port scan of GC dc.centrify.vms 192.168.184.167 : Pass
ADGC : Check Global Catalog servers : Pass
DCUP : Check for operational DCs in centrify.vms : Pass
SITEUP : Check DCs for centrify.vms in our site : Pass
DNSSYM : Check DNS server symmetry : Pass
ADSITE : Check that this machine's subnet is in a site known by AD : Pass
GSITE : See if we think this is the correct site : Pass
TIME : Check clock synchronization : Pass
ADSYNC : Check domains all synchronized : Pass
3 warnings were encountered during check. We recommend checking these before proceedinWarning summary
- DNS: don't care since it's a test environment. For production, multiple DNS required.
- SSH Server: don't care since I'm OK with stock SSH. Not looking to work SSO in complex AD or Smart Card
Workstation (Express) join
Quick and easy for systems that can be accessible for anyone. For access control, privilege elevation, MFA or audit, see Zone-join.
$ sudo adjoin -w -u dwirth -V centrify.vms dwirth@CENTRIFY.VMS's password: Options ------- Precreate: no Compatible with 2.x/3.x: no Enable Apple Scheme to generate UID/GID: no domain: centrify.vms user: dwirth@CENTRIFY.VMS container: null computer name: rhel74 Pre-Windows 2000 name: rhel74 DNS Host Name used for dNSHostName attr: null zone: Auto Zone server: null zoneserver: null gc: null upn: null noconf: no set time: yes force: no forceDeleteObj: no forceDeleteObjWithDupSpn: no trust: no des: no self-serve: no respectEncInConf: no respectSpnInConf: no use ldap to create computer object: no license type: null createComputerZone: no forceDeleteExistingComputerZone: no Setting time Using settings from previous join (under previous dir) to same domain Initializing domain settings file to centrify.vms Attempting bind to centrify.vms(site:) as dwirth@CENTRIFY.VMS on any server Using domain controller: dc.centrify.vms writable=true Initializing forest settings file to CENTRIFY.VMS Attempting bind to CENTRIFY.VMS(site:) as dwirth@CENTRIFY.VMS on any server Using GC server: dc.centrify.vms Using global catalog server: dc.centrify.vms Search for object by samName: filter=(samAccountName=rhel74$) root=DC=centrify,DC=vms Searching for well known container for computers Using cn=computers,dc=centrify,dc=vms container for computer object Saving zone settings Zone name: DC=centrify,DC=vms Zone version: Zone schema: NULL_AUTO Zone GUID: 00112233445566778899aabbccddeeff Using RPC to create the computer account Searching for newly created computer account: DC=centrify,DC=vms Search for object by samName: filter=(samAccountName=rhel74$) root=DC=centrify,DC=vms Found existing computer object: CN=rhel74,CN=Computers,DC=centrify,DC=vms Attempting to update computer dns name... Update succeeded! Searching for SPNs in GC... Attempting to update computer service principal names... Update succeeded! Update Computer's Security Descriptor to allow computer object to read/write operating system and operating system version properties as well as reset password. Looking for ntSecurityDescriptor for object CN=rhel74,CN=Computers,DC=centrify,DC=vms .... Checking if the required permissions exist. Not all of the required permissions exist, will add them. Add Allowed ACE to Read and Write operatingSystemVersion for S-1-5-21-3883016548-1611565816-1967702834-4659. Add Allowed ACE to Read and Write operatingSystem for S-1-5-21-3883016548-1611565816-1967702834-4659. Add Allowed ACE to Read and Write operatingSystemServicePack for S-1-5-21-3883016548-1611565816-1967702834-4659. Add Allowed ACE to Reset Password for S-1-5-21-3883016548-1611565816-1967702834-4659. Add Allowed ACE to Read userAccountControl for S-1-5-21-3883016548-1611565816-1967702834-4659. Add Allowed ACE to Validate write to servicePrincipalName for S-1-5-21-3883016548-1611565816-1967702834-4659. Add Allowed ACE to Validate write to dNSHostName for S-1-5-21-3883016548-1611565816-1967702834-4659. Unset "Trust for delegation" bit. Unset "Use Des Key Only" bit. Set operatingSystemVersion to "6.1:7.4", so that KDC will issue service ticket using AES enctypes. Set also msDS-supportedEncryptionType to "31" Update OS information. This requires computer object update rights... Update OS information succeeded Update License Type: workstation Setting machine password... Setting get init cred callback before set password (rc=0). Password change succeeded Samba interoperability is disabled in centrifydc.conf: Skipped synchronizing machine password with Samba Save kerberos join data... Using Win 2003 key version 2 Writing kerberos keytab Updating settings files Join to domain:centrify.vms, zone:Auto Zone successful Starting daemon Centrify DirectControl started. Waiting for adclient to startup ...... Adclient startup completed! Loading domains and trusts information Initializing cache . You have successfully joined the Active Directory domain: centrify.vms in the Centrify DirectControl zone: Auto Zone You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation. Failure to do so may result in login problems for AD users. Removing directory '/var/centrifydc/previous'
Validate the join
$ adinfo Local host name: rhel74 Joined to domain: centrify.vms Joined as: rhel74.centrify.vms Pre-win2K name: rhel74 Current DC: dc.centrify.vms Preferred site: Demo-Network Zone: Auto Zone CentrifyDC mode: connected Licensed Features: Enabled
Validate that all users/all groups are visible (count)
$ adquery user | wc -l && adquery group | wc -l 57 55
Installation Using YUM (with Centrify repo)
Commercial customers can set up the repo and leverage toos like yum, apt, zypper, etc.
I hope this helps.
R.P