Quantcast
Channel: All Centrify Express posts
Viewing all articles
Browse latest Browse all 1833

Enabling User Access restriction in Docker container through centrify

$
0
0

I have an EC2 box where we have multiple docker containers running (say 10 containers for example).

These containers are created from same docker image. Centrify installation and AD Group join is already configured on EC2 box, which means an user needs to provide their "Single Sign On" credentials in order to login to EC2 box. 

 

Situation in hand:

We want to create 1 Docker container per user environment. This mean each user will have their own dedicated docker container. 1 centrify user shouldn't be able to login to 2nd centrify user docker container. 

For this we have ceated a custom shell script & placed it inside /usr/local/bin (/usr/local/bin/custom_usr_shell). Permission of custom_usr_shell script is 777.

                cat /usr/local/bin/custom_usr_shell

                      #!/bin/bash

                      container_name=$(logname)

                      docker start $container_name

                      docker exec -it $container_name /bin/bash

 

We want to run this custom shell (/usr/local/bin/custom_usr_shell) when any centrify user logins to EC2 box because custom script on execution will enable a centrify user to directly go inside their docker container rathr than default /home/<user> location.

 

Issue being Faced:

Followed instructions abut modifying the shell for all users OR single user but issue still exists.Refer to http://community.centrify.com/t5/Centrify-Express/how-to-change-user-shell/td-p/17480 

 

 

Option 1: Modify shell for all users. Performed below with no success.

Modified /etc/centrifydc/centrifydc.conf & changed "# auto.schema.shell: /bin/bash" line to

"auto.schema.shell: /usr/local/bin/custom_usr_shell", followed by adreload & adflush.

 

Option 2: Modify shell for single user. Performed below as well with no success.

Created passwd.over file with below contents.

                     cat /etc/centrifydc/passwd.ovr

                     +user_id:::::::/usr/local/bin/custom_usr_shell

                     +:::::::

 

                     chmod 644 /etc/centrifydc/passwd.ovr

                     adreload

                     adflush

 

Error Message when user tries to login:

Could not chdir to home directory /home/<user_id>: Permission denied
DirectAudit was run as -centrifyda and determined that the real executable to run is /usr/local/bin/custom_usr_shell, however /usr/local/bin/cdax/custom_usr_shell does not seem to exist, or the current user does not have appropriate execute permissions to start it. Please contact your administrator to either replace /usr/local/bin/custom_usr_shell with a known good shell binary (for instance: from media, backups or network), modify the execute permissions on /usr/local/bin/custom_usr_shell, or to manually disable auditing. Note that as auditing for -centrifyda is currently broken, it is recommended that you avoid execution of any scripts which are interpreted by -centrifyda.

DirectAudit tries to maintain a backup copy of the default system shell, while this shell is not currently available, you may be able to mount the appropriate filesystem to retrieve and use that copy in recovery operations. Copies are kept in the following locations: /usr/share/centrifydc/bin/da.emergency.shell and /etc/centrifyda/da.emergency.shell
Connection to xx.xxx.xx.xx closed.


Viewing all articles
Browse latest Browse all 1833

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>