Centrify Express es una completa suite de software libre que permite: unir clientes GNU/Linux,Unix o Mac a un dominio de Active Directory, intercambio de archivos, vigilancia y seguridad en la nube para los sistemas multi-plataforma. Es la solución más rápida y más probado para la integración de UNIX, Linux y Mac con Windows, y ofrece una mayor funcionalidad.
Antes de instalar nada vamos a preparar el cliente para que pueda acceder a nuestro controlador de dominio.
Para ello modificamos el fichero /etc/resolv.conf
cat /etc/resolv.conf
domain cdp.redorbita.com
search cdp.red-rbita.com
nameserver 192.168.1.142
Nuestro direccionamiento IP:
tail -n5 /etc/network/interfaces
iface eth0 inet static
address 192.168.1.141
netmask 255.255.255.0
gateway 192.168.1.142
También comprobamos el fichero /etc/nsswitch.conf. el cual tiene que contener algo así:
cat /etc/nsswitch.conf | grep -i host
hosts: files dns
Una vez configurado comprobamos que llegamos por nombre.
ping redorbita.com
PING orbita.com (192.168.1.112) 56(84) bytes of data.
64 bytes from cdp.redorbita.com (192.168.1.142): icmp_req=1 ttl=128 time=0.420 ms
64 bytes from cdp.redorbita.com (192.168.1.142): icmp_req=2 ttl=128 time=0.837 ms
64 bytes from cdp.redorbita.com (192.168.1.142): icmp_req=3 ttl=128 time=0.398 ms
64 bytes from cdp.redorbita.com (192.168.1.142):icmp_req=4 ttl=128 time=0.463 ms
Listo para instalar.
Accedemos a la web official de Centrify y descargamos el cliente correspondiente con nuestra distribucion GNU/Linux (O Unix), y arquitectura.
*NOTA: Para descargar el producto nos tenemos que registrar.
http://www.centrify.com/express/free-active-directory-tools-for-linux-mac.asp#agents
Una vez descargado lo descomprimimos.
tar xvf centrify-suite-2014-deb5-x86_64.tgz
y damos a instalar.
Realizará una serie de chequeos a la máquina y a los DNS configurados.
./install-express.sh
***** *****
***** WELCOME to the Centrify Suite installer! *****
***** *****Detecting local platform …
Running ./adcheck-deb5-x86_64 …
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PORTMAP : Verify that portmap or rpcbind is installed : Pass
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting Samba installation : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
HOSTNAME : Verify hostname setting : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 192.168.1.142 : Pass
DNSCHECK : Analyze basic health of DNS servers : Warning
: Only one DNS server was found in /etc/resolv.conf.
: At least one backup DNS server is recommended for
: enterprise installations.
: Only one good DNS server was found
: You might be able to continue but it is likely that you
: will have problems.
: Add more good DNS servers into /etc/resolv.conf.WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Warning
: You are running OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013.
:
: This version of OpenSSH does not seem to be configured for PAM,
: ChallengeResponse and Kerberos/GSSAPI support.
: To get Active Directory users to successfully login,
: you need to configure your OpenSSH with the following options:
: (display the ones we identified were not set)
: ChallengeResponseAuthentication yes
: UsePAM Yes
:
: Centrify provides a version of OpenSSH that’s configured properly
: to allow AD users to login and provides Kerberos GSSAPI support.
:
: If you install Centrify Express or Centrify Suite
: Standard or Enterprise Edition, the Centrify build of
: OpenSSH will be installed automatically. Alternatively
: you may choose individual Suite packages to install
: with the Custom install option.2 warnings were encountered during check. We recommend checking these before proceeding
WARNING: adcheck exited with warning(s).
With this script, you can perform the following tasks:
– Install (update) Centrify Suite Enterprise Edition (License required) [E]
– Install (update) Centrify Suite Standard Edition (License required) [S]
– Install (update) Centrify Suite Express Edition [X]
– Custom install (update) of individual packages [C]You can type Q at any prompt to quit the installation and exit
the script without making any changes to your environment.How do you want to proceed? (E|S|X|C|Q) [E]:
Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:
Please enter the Active Directory domain to check [company.com]: redorbita.com
Join an Active Directory domain? (Q|Y|N) [Y]:y
Enter the Active Directory domain to join [redorbita.com]:
Enter the Active Directory authorized user [administrator]:
Enter the password for the Active Directory user:
Enter the computer name [debian]:
Enter the container DN [Computers]:
Enter the name of the domain controller [auto detect]:
Enable auditing on this computer (DirectAudit NSS mode)? (Q|Y|N) [Y]:
Reboot the computer after installation? (Q|Y|N) [Y]:You chose Centrify Suite Custom Edition and entered the following:
(E)rase/(R)einstall 5.1.3/(K)eep CentrifyDC-5.1.3 package: K
Install CentrifyDC-nis 5.1.3 package: N
(E)rase/(R)einstall 5.1.3/(K)eep CentrifyDC-openssh-5.1.3 package: K
Install CentrifyDC-ldapproxy 5.1.3 package: N
(E)rase/(R)einstall 3.2.0/(K)eep CentrifyDA-3.2.0 package: K
Express authentication mode : Y
Run adcheck : Y
Join an Active Directory domain : Y
Active Directory domain to join : redorbita.com
Active Directory authorized user : administrator
computer name : debian
container DN : Computers
domain controller name : auto detect
Enable auditing : Y
Reboot computer : Y
If this information is correct and you want to proceed, type «Y».
To change any information, type «N» and enter new information.
Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:Running ./adcheck-deb5-x86_64 …
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 192.168.1.142 : Pass
DNSCHECK : Analyze basic health of DNS servers : Warning
: Only one DNS server was found in /etc/resolv.conf.
: At least one backup DNS server is recommended for
: enterprise installations.
: Only one good DNS server was found
: You might be able to continue but it is likely that you
: will have problems.
: Add more good DNS servers into /etc/resolv.conf.WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Pass
DOMNAME : Check that the domain name is reasonable : Pass
ADDC : Find domain controllers in DNS : Pass
ADDNS : DNS lookup of DC win-4m249jgaal6.redorbita.com : Pass
ADPORT : Port scan of DC win-4m249jgaal6.redorbita.com : Pass
ADDC : Check Domain Controllers : Pass
ADDNS : DNS lookup of DC win-4m249jgaal6.redorbita.com : Pass
GCPORT : Port scan of GC win-4m249jgaal6.redorbita.com : Pass
ADGC : Check Global Catalog servers : Pass
DCUP : Check for operational DCs in redorbita.com : Pass
SITEUP : Check DCs for redorbita.com in our site : Pass
DNSSYM : Check DNS server symmetry : Pass
ADSITE : Check that this machine’s subnet is in a site known by AD : Pass
GSITE : See if we think this is the correct site : Pass
TIME : Check clock synchronization : Pass
ADSYNC : Check domains all synchronized : Pass
1 warning was encountered during check. We recommend checking this before proceedingWARNING: adcheck exited with warning(s).
Joining the Active Directory domain redorbita.com …
Using domain controller: win-4m249jgaal6.redorbita.com writable=true
Join to domain:redorbita.com, zone:Auto Zone successfulCentrify DirectControl started.
Loading domains and trusts informationInitializing cache
.
You have successfully joined the Active Directory domain: redorbita.com
in the Centrify DirectControl zone: Auto Zone
You may need to restart other services that rely upon PAM and NSS or simply
reboot the computer for proper operation. Failure to do so may result in
login problems for AD users.
Enabling DirectAudit NSS mode …
Restarting DirectAudit daemon …
Rebooting the computer …
Rebooting now …Broadcast message from root@debian (pts/1) (Wed Mar 5 00:36:14 2014):
The system is going down for reboot NOW!
Install.sh completed successfully. Nothing was installed or uninstalled.
Una vez instalado creamos un usuario en nuestro controlador de dominio y intentamos acceder.
Un saludo, rokitoh!