Active Directory based authentication for Linux and Mac
Centrify Express is an Active Directory based authentication and single sign-on to cross-platform systems. It used to integrate Linux and Mac systems with Windows. Centrify Express installs a program called the DirectControl agent on a UNIX system so that computer can be a managed system and can be joined to Active Directory in the same manner as a Windows computer. When a computer is managed by DirectControl agent and connected to a domain, all users and groups defined in Active Directory for the forest automatically become valid users and groups on the UNIX machine unless configured to deny or allow specific users or groups access. These users can perform the following common tasks:
- Log on to the UNIX shell or desktop program and use standard programs and services such as telnet, ssh, and ftp.
- Log on to a computer that is disconnected from the network or unable to access Active Directory, if they have successfully logged on and been authenticated by Active Directory previously.
- Manage their Active Directory passwords directly from the UNIX command line, provided they can connect to Active Directory.
Centrify Express consists of:
DirectControl Express
Joins Linux and Mac systems to Active Directory, giving users multi-platform single sign-on
DirectManage Express
Automates discovery, readiness, and deployment of Express agent for easy integration with Active Directory
Centrify-Enabled Open Source Tools
Use our free, enhanced versions of OpenSSH, PuTTY and Samba for painless integration
Installation.
DirectControl Express installation steps are simple:
- On the Linux computer, log on as root.
- If necessary, unzip the centrify-suite archive file.
- Run the install-express.sh command to install the Express Agent and Centrify-enabled
./install-express.sh
The installation script begins by running the adcheck program to check the operating system, disk space, DNS resolution, network connectivity, Active Directory configuration and other requirements on the computer. If you receive errors or warnings, see the DirectControl Express Administrator’s Guide for information on how to correct them.
When you run the installation script, answer the prompts as follows:
How do you want to proceed? (E|S|X|C|Q) [X]: X
Type X (the default) for Express Mode. For most of the prompts, you can accept the default value by pressing Enter.
Be certain to specify Yes when prompted to join a domain. For an Express installation, the script automatically joins a computer in unlicensed mode. If you manually join a domain after installation, you must manually turn off licensed features. This process is covered in the Centrify DirectControl Express Administrator’s Guide.
Once installed the users can enter their username in the form that they are most comfortable with, saving time and not requiring them to remember or type a domain name. All of these examples work equally well:
- user.name
- user name
- user.name@domain.com
- domain.com\user.name
One of my favorite features other than the single login, is that you can authenticate Active Directory users accessing Samba shares at add an easier way to add users, keep track of who has access.
Centrify Express supports the following Operating Systems:
Linux
CentOS Linux: 3.8, 3.9, 4.4, 4.6, 4.7, 4.8, 5, 5.1, 5.2, 5.3, 5.4, 5.5 (32-bit & 64-bit)
Citrix XenServer: 4, 4.1, 5 (32-bit)
Debian: 3.1, 4, 5 (32-bit & 64-bit)
Mandriva Linux One: 2008, 2009, 2009.1, 2010, 2010.1 (32-bit)
Novell SUSE Linux: Server 8, 9, 10, 11 (32-bit); Desktop 9.2, 9.3, 10, 11 (32-bit)
Novell SUSE Linux PPC: 9, 10, 11 (64-bit)
Novell SUSE Linux Itanium: 9, 10, 11 (64-bit)
OpenSUSE Linux: 10.1, 10.2, 10.3, 11, 11.1, 11.2 (32-bit)
OpenSUSE Linux: 10.1, 10.2, 10.3, 11, 11.1, 11.2 (64-bit)
Oracle Enterprise Linux: 4, 5 (32-bit & 64-bit)
Red Hat Enterprise Linux: 3, 4, 4.8, 5, 5.1, 5.2 ,5.3, 5.4, 5.5 (32-bit & 64-bit)
Red Hat Enterprise Linux Itanium: 4, 4.8, 5, 5.1, 5.2, 5.3, 5.4, 5.5
Red Hat Fedora: 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 (32-bit & 64-bit)
Scientific Linux: 3.0.8, 3.0.9, 4.4, 4.5, 4.6, 4.7, 4.8, 5, 5.1, 5.2, 5.3, 5.4, 5.5 (32-bit & 64-bit)
Ubuntu: 6.06 LTS, 7.04, 7.10, 8.04 LTS, 8.10, 9.04, 9.10, 10.04 LTS x86 (32-bit & 64-bit)
VMWare ESX Server: 3.0, 3.0.1, 3.0.2, 3.5 (32-bit)
VMWare ESX Server: 4 (64-bit)
MAC
Apple Mac OS X: 10.4.5+, 10.5.3+ on PPC, 10.4.5+, 10.5.3+ on Intel (32-bit)
Apple Mac OS X: 10.6 on Intel (32/64-bit)
There is a Centrify Suite that has more functionality but at a price. The Centrify Express is free and accomplishes exactly what I was looking for. If you want to intregrate Active Directory authentication into you Linux, Unix, or Mac machines check out Centrify Express it may be just what you are looking for. You can get more information at their website: www.centrify.com/default.asp
Useful info. Lucky me I discovered your web site unintentionally, and I’m surprised why this coincidence did not happened in advance! I bookmarked it.
I found this is very useful and interesting blog.I noticed more suggestive information on your blog.Its really great for your creative thinking.Thanks for sharing.
Wow, superb blog structure! How long have you been running a blog for? you make blogging glance easy. The entire glance of your website is wonderful, as neatly as the content!
One size fits all hammer makes all OSes nails?
Quest, Likewise and Centrify all offer similar server based functionality.
If the problem to be solved is multi-platform integration, then they all solve UNIX integration and to an extent Mac integration.
That’s the problem that they all try to solve.
If Mac-Windows specifically is the problem to be addressed, there are typically two major factors to consider that just don’t come up with SLES/Solaris/Red Hat etc integration –
1) Is the PC team willing to add specialist server based software just to support Macs i.e. drop using standard tools to add a proprietary 3rd party toolset?
2) Is there a need for Microsoft DFS connection since Macs don’t support that natively? The kinds of sophisticated accounts with AD are typically the ones with DFS. Is the PC team willing to add specialist 3rd party server based software just for the Macs? Is the company willing to have to have two sets of contracts, two sets of server software and two sets of support to address the Mac-Windows space?
Thanks for bringing up these concerns Josh,
By default Centrify installs a Kerberized version of OpenSSH so that you can have a nice silent sign on experience. However you can always install without our OpenSSH and configure stock OpenSSH (see How to: Set Up a Centrify-Managed System for Stock SSH)
(Josh, just select the C option in the installer to do a custom install and you can elect to skip the Centrify OpenSSH install)
With this script, you can perform the following tasks:
- Install (update) Centrify Suite Standard Edition (License required) [S]
- Install (update) Centrify Suite Express Edition [X]
- Custom install (update) of individual packages [C]
You can type Q at any prompt to quit the installation and exit
the script without making any changes to your environment.
How do you want to proceed? (S|X|C|Q) [X]: C
Install the Centrify DirectControl 4.4.1 package? (Q|Y|N) [Y]:
Install the CentrifyDC-nis 4.4.1 package? (Q|Y|N) [Y]:N
Install the CentrifyDC-openssh 4.3.1 package? (Q|Y|N) [Y]:N
Do you want to install in Express authentication mode? (Q|Y|N) [Y]:
Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:
Please enter the Active Directory domain to check: ...
We will be releasing UNIX versions as well.
As for how Centrify compares to Likewise and do-it-yourself, you might want to check out this comparison that includes lab and written analysis by InteropSystems, sponsored by Centrify.
Centrify Express also gives you current Kerberized versions of Samba that are preintegragted with Centrify, PuTTY with forwardable Kerb tickets (for easy SSH hopping) , and a great windows gui tool to reach out and discover, validate, install and SSO to Linux, UNIX and Macs all from one pane of glass call DirectManage Express
Most important, Centrify provides an automated pre-flight checker that ensures a successful install and join with Active Directory. We make sure that DNS, OS patch level, AD port availability and much more are conducive to a successful join of AD. Compare this to other free offerings which provide little preflight advice and when they do it is very manual and technical.
Hope this helps clear things up Josh,
Corey Williams – a Centrify product manager
Likewise Open will get you hooked up to AD and allow you to continue to use your OS’s version of OpenSSH, so when it comes patch time you’re not running into issues. Likewise also runs on other UNIXs like Solaris, AIX, HPUX, FreeBSD, so if you have those in your environment, you can use 1 solution.