Linux Mint 17/18 is in the supported platforms that we QA, otherwise we would not publish it in the list.
This is good practice, so here it is:
Version Check
$ cat /etc/linuxmint/info RELEASE=18 CODENAME=sarah EDITION="Cinnamon 64-bit" DESCRIPTION="Linux Mint 18 Sarah" DESKTOP=Gnome TOOLKIT=GTK NEW_FEATURES_URL=http://www.linuxmint.com/rel_sarah_cinnamon_whatsnew.php RELEASE_NOTES_URL=http://www.linuxmint.com/rel_sarah_cinnamon.php USER_GUIDE_URL=help:linuxmint GRUB_TITLE=Linux Mint 18 Cinnamon 64-bit
Installation - Checking the packages (I added the Centrify repo)
$ apt list --all-versions | grep centrifydc WARNING: apt does not have a stable CLI interface. Use with caution in scripts. centrifydc/stable 5.4.0-286 amd64 centrifydc/stable 5.3.1-411 amd64 centrifydc/stable 5.3.1-402 amd64 centrifydc/stable 5.3.0-220 amd64 centrifydc-curl/stable 5.4.0-286 amd64 centrifydc-ldapproxy/stable 5.4.0-286 amd64 centrifydc-ldapproxy/stable 5.3.1-411 amd64 centrifydc-ldapproxy/stable 5.3.1-402 amd64 centrifydc-ldapproxy/stable 5.3.0-220 amd64 centrifydc-nis/stable 5.4.0-286 amd64 centrifydc-nis/stable 5.3.1-411 amd64 centrifydc-nis/stable 5.3.1-402 amd64 centrifydc-nis/stable 5.3.0-220 amd64 centrifydc-openldap/stable 5.4.0-286 amd64 centrifydc-openssh/stable 7.3p1-5.4.0.284 amd64 centrifydc-openssh/stable 7.2p2-5.3.1.391 amd64 centrifydc-openssh/stable 7.1p1-5.3.0.208 amd64 centrifydc-openssl/stable 5.4.0-286 amd64 Installation - Setup centrifying@mint64 ~ $ sudo apt-get install centrifydc Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: centrifydc-curl centrifydc-openldap centrifydc-openssl The following NEW packages will be installed: centrifydc centrifydc-curl centrifydc-openldap centrifydc-openssl 0 upgraded, 4 newly installed, 0 to remove and 527 not upgraded. Need to get 30.6 MB of archives. After this operation, 80.6 MB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 https://repo.centrify.com/deb stable/main amd64 centrifydc-openssl amd64 5.4.0-286 [2,380 kB] Get:2 https://repo.centrify.com/deb stable/main amd64 centrifydc-openldap amd64 5.4.0-286 [2,160 kB] Get:3 https://repo.centrify.com/deb stable/main amd64 centrifydc-curl amd64 5.4.0-286 [336 kB] Get:4 https://repo.centrify.com/deb stable/main amd64 centrifydc amd64 5.4.0-286 [25.7 MB] Fetched 30.6 MB in 15s (2,036 kB/s) Selecting previously unselected package centrifydc-openssl. (Reading database ... 196079 files and directories currently installed.) Preparing to unpack .../centrifydc-openssl_5.4.0-286_amd64.deb ... Unpacking centrifydc-openssl (5.4.0-286) ... Selecting previously unselected package centrifydc-openldap. Preparing to unpack .../centrifydc-openldap_5.4.0-286_amd64.deb ... Unpacking centrifydc-openldap (5.4.0-286) ... Selecting previously unselected package centrifydc-curl. Preparing to unpack .../centrifydc-curl_5.4.0-286_amd64.deb ... Unpacking centrifydc-curl (5.4.0-286) ... Selecting previously unselected package centrifydc. Preparing to unpack .../centrifydc_5.4.0-286_amd64.deb ... Unpacking centrifydc (5.4.0-286) ... Processing triggers for ureadahead (0.100.0-19) ... Processing triggers for systemd (229-4ubuntu4) ... Processing triggers for man-db (2.7.5-1) ... Setting up centrifydc-openssl (5.4.0-286) ... Setting up centrifydc-openldap (5.4.0-286) ... Setting up centrifydc-curl (5.4.0-286) ... Setting up centrifydc (5.4.0-286) ...
Configuration - Pre-flight checklist (config files)
# first, check the /etc/nsswitch.conf and /etc/pam.d have no entries or that Kerberos is not configured$ cat /etc/pam.d/common-auth | grep centrify $ cat /etc/nsswitch.conf | grep centrify $ cat /etc/krb5.conf | grep centrify.vms cat: /etc/krb5.conf: No such file or directory
Running adcheck to verify that all is well to join Active Directory
$ /usr/share/centrifydc/bin/adcheck centrify.vms OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PORTMAP : Verify that portmap or rpcbind is installed : Warning : Could not install CentrifyDC-nis package. : PORTMAP not installed. Please install required : portmap or rpcbind package, which CentrifyDC-nis : depends on PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 127.0.1.1 : Pass DNSCHECK : Analyze basic health of DNS servers : Warning : Only one DNS server was found in /etc/resolv.conf. : At least one backup DNS server is recommended for : enterprise installations. : Only one good DNS server was found : You might be able to continue but it is likely that you : will have problems. : Add more good DNS servers into /etc/resolv.conf. WHATSSH : Is this an SSH that DirectControl works well with : Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips 1 Mar 2016. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that's configured properly : to allow AD users to login and provides Kerberos GSSAPI support. DOMNAME : Check that the domain name is reasonable : Pass ADDC : Find domain controllers in DNS : Pass ADDNS : DNS lookup of DC dc.centrify.vms : Pass ADPORT : Port scan of DC dc.centrify.vms 192.168.81.10 : Pass ADPORT : Port scan of DC dc.centrify.vms 192.168.184.130 : Pass ADDC : Check Domain Controllers : Pass ADDNS : DNS lookup of DC dc.centrify.vms : Pass GCPORT : Port scan of GC dc.centrify.vms 192.168.81.10 : Pass GCPORT : Port scan of GC dc.centrify.vms 192.168.184.130 : Pass ADGC : Check Global Catalog servers : Pass DCUP : Check for operational DCs in centrify.vms : Pass SITEUP : Check DCs for centrify.vms in our site : Pass DNSSYM : Check DNS server symmetry : Pass ADSITE : Check that this machine's subnet is in a site known by AD : Pass GSITE : See if we think this is the correct site : Pass TIME : Check clock synchronization : Pass ADSYNC : Check domains all synchronized : Pass 3 warnings were encountered during check. We recommend checking these before proceeding
# none of the warnings apply to me (no NIS package, any OpenSSH is fine,
and one DNS is fine - testing)
Configuration - Joining AD
# you must run the adjoin command with the workstation flag and have an authorized user that can join (diana).
# note that commercial customers (that get privilege management and more) usually join in zone mode.
$ sudo adjoin -w -u dwirth centrify.vms dwirth@CENTRIFY.VMS's password: Using domain controller: dc.centrify.vms writable=true Join to domain:centrify.vms, zone:Auto Zone successful Centrify DirectControl started. Loading domains and trusts information Initializing cache . You have successfully joined the Active Directory domain: centrify.vms in the Centrify DirectControl zone: Auto Zone You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation.
Verification - Config Files
Check to see if centrify has taken care of all the UNIX frameworks and Kerberos
$ cat /etc/pam.d/common-auth | grep centrify auth sufficient pam_centrifydc.so auth requisite pam_centrifydc.so deny$ cat /etc/nsswitch.conf | grep centrify passwd: centrifydc compat group: centrifydc compat shadow: centrifydc compat$ cat /etc/krb5.conf | grep centrify.vms dc.centrify.vms = CENTRIFY.VMS .centrify.vms = CENTRIFY.VMS centrify.vms = CENTRIFY.VMS mint64.centrify.vms = CENTRIFY.VMS kdc = dc.centrify.vms:88 master_kdc = dc.centrify.vms:88 kpasswd = dc.centrify.vms:464 kpasswd_server = dc.centrify.vms:464
Checking functionality
List AD users (simpsons only)
$ adquery user | grep simpson bart.simpson:x:1040191032:1040191032:Bart Simpson:/home/bart.simpson:/bin/bash homer.simpson:x:1040191034:1040191034:Homer Simpson:/home/homer.simpson:/bin/bash lisa.simpson:x:1040191030:1040191030:Lisa Simpson:/home/lisa.simpson:/bin/bash maggie.simpson:x:1040191033:1040191033:Maggie Simpson:/home/maggie.simpson:/bin/bash marge.simpson:x:1040191031:1040191031:Marge Simpson:/home/marge.simpson:/bin/bash
List AD groups (simpsons only)
$ adquery group | grep simpson
centrify-global-unixgroup-simpson:x:1040191043:dwirth,lisa.simpson centrify-global-mixed-pci-auditor:x:1040191041:homer.simpson centrify-global-unix-dbas:x:1040191040:lisa.simpson centrify-global-unix-sysadmins:x:1040191038:marge.simpson centrify-global-unix-webadmins:x:1040191039:bart.simpson centrify-global-windows-admins:x:1040191042:maggie.simpson ad-aws-ec2-users:x:1040191526:lisa.simpson
Get more information about Bart
centrifying@mint64 ~ $ adquery user -A bart.simpson unixname:bart.simpson uid:1040191032 gid:1040191032 gecos:Bart Simpson home:/home/bart.simpson shell:/bin/bash auditLevel:AuditIfPossible isAlwaysPermitLogin:false dn:CN=Bart Simpson,OU=Simpsons,OU=Staff,DC=centrify,DC=vms samAccountName:bart.simpson displayName:Bart Simpson sid:S-1-5-21-3883016548-1611565816-1967702834-3640 canonicalName:centrify.vms/Staff/Simpsons/Bart Simpson passwordHash:x guid:3cd2b690-b24c-4d5c-a125-2e7733dea990 requireMfa:false zoneEnabled:true unixGroups:bart.simpson,centrify-global-unix-webadmins,domain_users memberOf:centrify.vms/Centrify/User Roles/centrify-global-unix-webadmins,centrify.vms/Users/Domain Users
Get more information about ad-aws-ec2-users
adquery group -A ad-aws-ec2-users -A unixname:ad-aws-ec2-users gid:1040191526 required:false dn:CN=AD-AWS-EC2-Users,OU=Groups,OU=Staff,DC=centrify,DC=vms groupType:global security samAccountName:AD-AWS-EC2-Users sid:S-1-5-21-3883016548-1611565816-1967702834-4134 canonicalName:centrify.vms/Staff/Groups/AD-AWS-EC2-Users members:centrify.vms/Staff/Simpsons/Lisa Simpson unixMembers:lisa.simpson
Login using Switch User (bart)
$ su - bart.simpson Password: Password will expire in 41 days Created home directory
Login Using SSH Client (lisa)
$ ssh lisa.simpson@mint64.centrify.vms The authenticity of host 'mint64.centrify.vms (127.0.1.1)' can't be established. ECDSA key fingerprint is SHA256:GRB+Bk2JTaLtynCMp67O2jHSlNoWSciMCuIBhFtHEMg. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'mint64.centrify.vms' (ECDSA) to the list of known hosts. lisa.simpson@mint64.centrify.vms's password: Password will expire in 1 days Created home directory Welcome to Linux Mint 18 Sarah (GNU/Linux 4.4.0-21-generic x86_64) * Documentation: https://www.linuxmint.com
Login via GUI (after reboot, with Bart)
I think this should cover it.
My personal hunch is that there's something unorthodox in your system (configuration).